我尝试在 AWS ECS 中部署一个 fargate 容器。但是我收到以下错误
error getting rds cred staging/tas:
{
"message": "The security token included in the request is invalid",
"code": "UnrecognizedClientException",
"time": "2020-06-07T06:10:17.324Z",
"requestId": "5a3287f8-8c7b-49f9-b346-9239840f05bd",
"statusCode": 400,
"retryable": false,
"retryDelay": 7.012616197026311
}
当我使用 Fargate 时,接下来是检查任务角色和任务执行角色。他们使用与使用AmazonECSTaskExecutionRolePolicy相同的IAM
。{
"Statement": [
{
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents",
"secretsmanager:GetSecretValue"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
根据要求,我在任务定义中添加
{
"ipcMode": null,
"executionRoleArn": "arn:aws-cn:iam::xxxyyyeeezzz:role/tas-common-resource-ECSTaskExecutionRole-ZEATKLAUUDV8",
"containerDefinitions": [
{
"dnsSearchDomains": [],
"environmentFiles": null,
"logConfiguration": {
"logDriver": "awslogs",
"secretOptions": [],
"options": {
"awslogs-group": "TASStagingLogs",
"awslogs-region": "cn-north-1",
"awslogs-stream-prefix": "web-app-staging"
}
},
"entryPoint": [],
"portMappings": [
{
"hostPort": 8000,
"protocol": "tcp",
"containerPort": 8000
}
],
"command": [
"npm",
"start"
],
"linuxParameters": null,
"cpu": 0,
"environment": [
{
"name": "NODE_ENV",
"value": "staging"
},
{
"name": "RDS_SECRET_NAME",
"value": "staging/tas"
}
],
"resourceRequirements": null,
"ulimits": [],
"dnsServers": [],
"mountPoints": [],
"workingDirectory": null,
"secrets": [],
"dockerSecurityOptions": [],
"memory": null,
"memoryReservation": null,
"volumesFrom": [],
"stopTimeout": null,
"image": "xxxyyyeeezzz.dkr.ecr.cn-north-1.amazonaws.com.cn/tas/master-server",
"startTimeout": null,
"firelensConfiguration": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": [],
"hostname": null,
"extraHosts": [],
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": {},
"systemControls": [],
"privileged": null,
"name": "web-app"
}
],
"placementConstraints": [],
"memory": "4096",
"taskRoleArn": "arn:aws-cn:iam::xxxyyyeeezzz:role/tas-common-resource-ECSTaskExecutionRole-ZEATKLAUUDV8",
"compatibilities": [
"EC2",
"FARGATE"
],
"taskDefinitionArn": "arn:aws-cn:ecs:cn-north-1:xxxyyyeeezzz:task-definition/master-web-staging-WebTaskDef-ZE50JXHI06U1:1",
"family": "master-web-staging-WebTaskDef-ZE50JXHI06U1",
"requiresAttributes": [
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.execution-role-awslogs"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.ecr-auth"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.17"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.task-iam-role"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.execution-role-ecr-pull"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.task-eni"
}
],
"pidMode": null,
"requiresCompatibilities": [
"EC2",
"FARGATE"
],
"networkMode": "awsvpc",
"cpu": "2048",
"revision": 1,
"status": "ACTIVE",
"inferenceAccelerators": null,
"proxyConfiguration": null,
"volumes": []
}
但是它对secretsmanager中的所有资源都有读取访问权限,所以我想知道可能出了什么问题。请帮忙。谢谢
嗨,问题已解决。问题是该地区是错误的。它在应用程序中被硬编码为 ap-southeast-1,但该应用程序部署在 cn-north-1 中