堆栈内存溢出
  简体   繁体   English

AWS Elastic Container Service (ECS) ExecutionRole 和 TaskRole 的区别

[英]Difference between AWS Elastic Container Service's (ECS) ExecutionRole and TaskRole

 原文  2018-02-27 00:51:38       amazon-web-services/ amazon-iam/ amazon-ecs

问题描述

I'm using AWS's CloudFormation, and I recently spent quite a bit of time trying to figure out why the role I had created and attached policies to was not enabling my ECS task to send a message to a Simple Queue Service (SQS) queue.我正在使用 AWS 的 CloudFormation,最近我花了很多时间试图弄清楚为什么我创建并附加策略的角色没有使我的 ECS 任务能够将消息发送到简单队列服务 (SQS) 队列。

I realized that I was incorrectly attaching the SQS permissions policy to the Execution Role when I should have been attaching the policy to the Task Role .我意识到我错误地将 SQS 权限策略附加到了Execution Role ,而我应该将策略附加到Task Role I cannot find good documentation that explains the difference between the two roles.我找不到很好的文档来解释这两个角色之间的区别。 CloudFormation documentation for the two of them are here: ExecutionRole and TaskRole他们两个的CloudFormation文档在这里: ExecutionRoleTaskRole

2 个解决方案

解决方案1
 102  2018-04-20 18:08:29

Referring to the documentation you can see that the execution role is the IAM role that executes ECS actions such as pulling the image and storing the application logs in cloudwatch.参考文档可以看到执行角色是执行ECS动作的IAM角色,例如拉取镜像和将应用日志存储在cloudwatch中。

The TaskRole then, is the IAM role used by the task itself.那么,TaskRole 是任务本身使用的 IAM 角色。 For example, if your container wants to call other AWS services like S3, SQS, etc then those permissions would need to be covered by the TaskRole.例如,如果您的容器想要调用其他 AWS 服务,如 S3、SQS 等,那么 TaskRole 需要涵盖这些权限。

Using a TaskRole is functionally the same as using access keys in a config file on the container instance.使用 TaskRole 在功能上与在容器实例的配置文件中使用访问密钥相同。 Using access keys in this way is not secure and is considered very bad practice.以这种方式使用访问密钥并不安全,被认为是非常糟糕的做法。 I include this in the answer because many people reading this already understand access keys.我将其包含在答案中,因为许多阅读本文的人已经了解访问密钥。

解决方案2
 12  2020-12-05 02:37:17

ECS task execution role is capabilities of ECS agent (and container instance), eg: ECS任务执行角色是ECS代理(和容器实例)的能力,例如:

  • Pulling a container image from Amazon ECR从 Amazon ECR 拉取容器映像
  • Using the awslogs log driver使用 awslogs 日志驱动程序

ECS task role is specific capabilities within the task itself, eg: ECS 任务角色是任务本身内的特定能力,例如:

  • When your actual code runs当您的实际代码运行时

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在 AWS Elastic Container Service (ECS) 实例中运行启动时间命令 - Run Boot time commands in AWS Elastic Container Service(ECS) instances AWS ECS 中的任务和服务有什么区别? - What is the difference between a task and a service in AWS ECS? AWS Elastic Beanstalk与EC2容器服务(ECS) - Docker - AWS Elastic Beanstalk Vs EC2 Container Service (ECS) - Docker AWS上的Docker - Elastic Beanstalk和ECS之间有什么区别? - Docker on AWS - what is a difference between Elastic Beanstalk and ECS? AWS:具有弹性 IP 的 ECS 服务 - AWS: ECS Service with Elastic IP devops aws django 网站可扩展性:如何在弹性 beanstalk 和弹性容器服务 ecs 中完成自动缩放 - devops aws django website scalability : how is auto scaling done in elastic beanstalk and elastic container service ecs 我应该使用 AWS Elastic Beanstalk 还是 Amazon EC2 Container Service (ECS) 来扩展 Docker 容器? - Should I use AWS Elastic Beanstalk or the Amazon EC2 Container Service (ECS) to scale Docker containers? EC2 Auto Scaling Group (EC2 ASG) 和 Elastic Container Service (ECS) 的区别 - Differences between EC2 Auto Scaling Group (EC2 ASG) and Elastic Container Service (ECS) AWS ECS容器服务何时更改状态? - When AWS ECS Container service changed state? 如何使用容器覆盖在AWS ECS上运行服务? - How to run a service on AWS ECS with container overrides?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM