Amazon ECS - 在 Docker 入口点上使用 IAM 角色时权限被拒绝
[英]Amazon ECS - Permission denied when using IAM role on Docker entrypoint
问题描述
I'm looking for a way to inject secrets/certificates into Amazon ECS containers.
我正在寻找一种将机密/证书注入 Amazon ECS 容器的方法。 In my case, it's a simple nginx container.就我而言,它是一个简单的 nginx 容器。
I've been following this post, using AWS Parameter Store: https://aws.amazon.com/blogs/compute/managing-secrets-for-amazon-ecs-applications-using-parameter-store-and-iam-roles-for-tasks/我一直在关注这篇文章,使用 AWS Parameter Store: https : //aws.amazon.com/blogs/compute/managing-secrets-for-amazon-ecs-applications-using-parameter-store-and-iam-roles - 任务/
Here's the basic gist:这是基本要点:
- On my Dockerfile, I attach a script on entrypoint which installs the AWS client and fetches the keys from AWS parameter store.在我的 Dockerfile 上,我在入口点附加了一个脚本,用于安装 AWS 客户端并从 AWS 参数存储中获取密钥。
Dockerfile文件
FROM nginx:1.16.0
...
ENTRYPOINT ["/var/run/fetch.sh", "nginx", "-g", "daemon off;"]
fetch.sh获取.sh
aws ssm get-parameter \
--name ${key} \
--with-decryption \
--region us-east-1 \
--output text \
--query Parameter.Value
- The task definition assumes an IAM role that has access to the required services (kms + parameter store).任务定义承担一个 IAM 角色,该角色有权访问所需的服务(kms + 参数存储)。 I can verify this works because if I ssh to the server and run the script on the container, I am able to fetch the keys from Parameter Store.我可以验证这是否有效,因为如果我通过 SSH 连接到服务器并在容器上运行脚本,我可以从 Parameter Store 获取密钥。
{
"portMappings": [
{
"hostPort": 0,
"protocol": "tcp",
"containerPort": 443
}
],
"cpu": 0,
"environment": [],
"mountPoints": [],
"memoryReservation": 256,
"memory": 512,
"volumesFrom": [],
"image": "url/some_image:latest",
"essential": true,
"name": "my-container"
}
- When ECS runs this task, it should hit the entrypoint which fetches the keys from parameter store and saves them.当 ECS 运行此任务时,它应该命中从参数存储中获取密钥并保存它们的入口点。
I'm able to fetch the keys on a running task by running it manually via docker exec, but I'm unable to fetch them when starting a task (specifically when I attach the script on the entrypoint as on code above).我可以通过 docker exec 手动运行来获取正在运行的任务上的密钥,但是在启动任务时我无法获取它们(特别是当我在入口点附加脚本时,如上面的代码一样)。
Does an ECS task have access to IAM roles at the entrypoint? ECS 任务是否可以访问入口点的 IAM 角色? When does it actually assume IAM roles?它何时实际承担 IAM 角色?
1 个解决方案
解决方案1
1 已采纳 2019-05-02 08:26:17
You can now easily inject secrets from SSM or Secrets Manager using the secrets in the containerDefinitions of a task definition.您现在可以使用任务定义的containerDefinitions中的secrets轻松地从 SSM 或 Secrets Manager 注入机密。 With this solution, you don't have to run/manage your custom scripts to fetch your secrets anymore.使用此解决方案,您不必再运行/管理您的自定义脚本来获取您的机密。
It looks like this:它看起来像这样:
{
"containerDefinitions": [{
"secrets": [{
"name": "environment_variable_name",
"valueFrom": "arn:aws:secretsmanager:region:aws_account_id:secret:secret_name-AbCdEf"
}]
}]
}
{
"containerDefinitions": [{
"secrets": [{
"name": "environment_variable_name",
"valueFrom": "arn:aws:ssm:region:aws_account_id:parameter/parameter_name"
}]
}]
}
Have a look at AWS Launches Secrets Support for Amazon Elastic Container Service and Specifying Sensitive Data .查看AWS 推出对 Amazon Elastic Container Service 的秘密支持和指定敏感数据。
You must have a task execution role and reference it in your task definition.您必须具有任务执行角色并在您的任务定义中引用它。 Example policy:示例政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"secretsmanager:GetSecretValue",
"kms:Decrypt"
],
"Resource": [
"arn:aws:ssm:<region>:<aws_account_id>:parameter/parameter_name",
"arn:aws:secretsmanager:<region>:<aws_account_id>:secret:secret_name",
"arn:aws:kms:<region>:<aws_account_id>:key/key_id"
]
}
]
}
More info in Required IAM Permissions for Amazon ECS Secrets . Amazon ECS 密钥所需的 IAM 权限中的更多信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.