[英]Amazon ECS - Permission denied when using IAM role on Docker entrypoint
I'm looking for a way to inject secrets/certificates into Amazon ECS containers.我正在寻找一种将机密/证书注入 Amazon ECS 容器的方法。 In my case, it's a simple nginx container.就我而言,它是一个简单的 nginx 容器。
I've been following this post, using AWS Parameter Store: https://aws.amazon.com/blogs/compute/managing-secrets-for-amazon-ecs-applications-using-parameter-store-and-iam-roles-for-tasks/我一直在关注这篇文章,使用 AWS Parameter Store: https : //aws.amazon.com/blogs/compute/managing-secrets-for-amazon-ecs-applications-using-parameter-store-and-iam-roles - 任务/
Here's the basic gist:这是基本要点:
Dockerfile文件
FROM nginx:1.16.0
...
ENTRYPOINT ["/var/run/fetch.sh", "nginx", "-g", "daemon off;"]
fetch.sh获取.sh
aws ssm get-parameter \
--name ${key} \
--with-decryption \
--region us-east-1 \
--output text \
--query Parameter.Value
{
"portMappings": [
{
"hostPort": 0,
"protocol": "tcp",
"containerPort": 443
}
],
"cpu": 0,
"environment": [],
"mountPoints": [],
"memoryReservation": 256,
"memory": 512,
"volumesFrom": [],
"image": "url/some_image:latest",
"essential": true,
"name": "my-container"
}
I'm able to fetch the keys on a running task by running it manually via docker exec, but I'm unable to fetch them when starting a task (specifically when I attach the script on the entrypoint as on code above).我可以通过 docker exec 手动运行来获取正在运行的任务上的密钥,但是在启动任务时我无法获取它们(特别是当我在入口点附加脚本时,如上面的代码一样)。
Does an ECS task have access to IAM roles at the entrypoint? ECS 任务是否可以访问入口点的 IAM 角色? When does it actually assume IAM roles?它何时实际承担 IAM 角色?
You can now easily inject secrets from SSM or Secrets Manager using the secrets
in the containerDefinitions
of a task definition.您现在可以使用任务定义的containerDefinitions
中的secrets
轻松地从 SSM 或 Secrets Manager 注入机密。 With this solution, you don't have to run/manage your custom scripts to fetch your secrets anymore.使用此解决方案,您不必再运行/管理您的自定义脚本来获取您的机密。
It looks like this:它看起来像这样:
{
"containerDefinitions": [{
"secrets": [{
"name": "environment_variable_name",
"valueFrom": "arn:aws:secretsmanager:region:aws_account_id:secret:secret_name-AbCdEf"
}]
}]
}
{
"containerDefinitions": [{
"secrets": [{
"name": "environment_variable_name",
"valueFrom": "arn:aws:ssm:region:aws_account_id:parameter/parameter_name"
}]
}]
}
Have a look at AWS Launches Secrets Support for Amazon Elastic Container Service and Specifying Sensitive Data .查看AWS 推出对 Amazon Elastic Container Service 的秘密支持和指定敏感数据。
You must have a task execution role and reference it in your task definition.您必须具有任务执行角色并在您的任务定义中引用它。 Example policy:示例政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"secretsmanager:GetSecretValue",
"kms:Decrypt"
],
"Resource": [
"arn:aws:ssm:<region>:<aws_account_id>:parameter/parameter_name",
"arn:aws:secretsmanager:<region>:<aws_account_id>:secret:secret_name",
"arn:aws:kms:<region>:<aws_account_id>:key/key_id"
]
}
]
}
More info in Required IAM Permissions for Amazon ECS Secrets . Amazon ECS 密钥所需的 IAM 权限中的更多信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.