[英]Difference between AWS Elastic Container Service's (ECS) ExecutionRole and TaskRole
I'm using AWS's CloudFormation, and I recently spent quite a bit of time trying to figure out why the role I had created and attached policies to was not enabling my ECS task to send a message to a Simple Queue Service (SQS) queue.我正在使用 AWS 的 CloudFormation,最近我花了很多时间试图弄清楚为什么我创建并附加策略的角色没有使我的 ECS 任务能够将消息发送到简单队列服务 (SQS) 队列。
I realized that I was incorrectly attaching the SQS permissions policy to the Execution Role
when I should have been attaching the policy to the Task Role
.我意识到我错误地将 SQS 权限策略附加到了
Execution Role
,而我应该将策略附加到Task Role
。 I cannot find good documentation that explains the difference between the two roles.我找不到很好的文档来解释这两个角色之间的区别。 CloudFormation documentation for the two of them are here: ExecutionRole and TaskRole
他们两个的CloudFormation文档在这里: ExecutionRole和TaskRole
Referring to the documentation you can see that the execution role is the IAM role that executes ECS actions such as pulling the image and storing the application logs in cloudwatch.参考文档可以看到执行角色是执行ECS动作的IAM角色,例如拉取镜像和将应用日志存储在cloudwatch中。
The TaskRole then, is the IAM role used by the task itself.那么,TaskRole 是任务本身使用的 IAM 角色。 For example, if your container wants to call other AWS services like S3, SQS, etc then those permissions would need to be covered by the TaskRole.
例如,如果您的容器想要调用其他 AWS 服务,如 S3、SQS 等,那么 TaskRole 需要涵盖这些权限。
Using a TaskRole is functionally the same as using access keys in a config file on the container instance.使用 TaskRole 在功能上与在容器实例的配置文件中使用访问密钥相同。 Using access keys in this way is not secure and is considered very bad practice.
以这种方式使用访问密钥并不安全,被认为是非常糟糕的做法。 I include this in the answer because many people reading this already understand access keys.
我将其包含在答案中,因为许多阅读本文的人已经了解访问密钥。
ECS task execution role is capabilities of ECS agent (and container instance), eg: ECS任务执行角色是ECS代理(和容器实例)的能力,例如:
ECS task role is specific capabilities within the task itself, eg: ECS 任务角色是任务本身内的特定能力,例如:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.