AWS 账户 A lambda 试图触发 B 账户的 ecs 运行任务
[英]AWS account A lambda trying to trigger ecs run task for B account
问题描述
code in lambda function - 
lambda function 中的代码 -
String arn = "arn:aws:ecs:eu-west-1:accountId(B-account):task-definition/task-defn-name";
String cluster="arn:aws:ecs:eu-west-1:accountId(B-account):cluster/cluster name";
RunTaskRequest request = new RunTaskRequest().withLaunchType(LaunchType.EC2).withCluster(cluster).withTaskDefinition(arn);
final STSAssumeRoleSessionCredentialsProvider cross_acct_lambda = new STSAssumeRoleSessionCredentialsProvider.Builder("AccountB-Role", "cross_acct_lambda").build();
RunTaskResult response = AmazonECSClientBuilder.standard().withCredentials(cross_acct_lambda).build().runTask(request);
This worked i was using default credential provider instead STSAssumeRoleSessionCredentialsProvider这行得通,我使用的是默认凭据提供程序,而不是 STSAssumeRoleSessionCredentialsProvider
Permission policy in Account B role账户 B 角色中的权限策略
{
"Effect": "Allow",
"Action": [
"ecs:RunTask",
"ecs:Describe*",
"ecs:List*"
],
"Resource": [
"*"
]
}
Trust relationship of Role in B account B账户中Role的信任关系
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"ecs-tasks.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountId-Aaccount:role/ecsLambdaRole"
},
"Action": "sts:AssumeRole"
}
]
}
A- Account role A- 账户角色
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::AccountId-Baccount:role/role name"
}
}
1 个解决方案
解决方案1
3 已采纳 2020-07-01 22:30:08
Sadly, you can't do this directly as you are attempting.可悲的是,您无法在尝试时直接执行此操作。
Usually, cross-account operations are enabled through cross-account roles .通常,跨账户操作是通过跨账户角色启用的。
For this to work in your use-case you would have to do the following:要使其在您的用例中起作用,您必须执行以下操作:
Setup an assumable role in AccB .
在 AccB 中设置一个可承担的角色。 The role would have a policy with permissions to start its ecs task.该角色将拥有一个有权启动其 ecs 任务的策略。 The trust relationship would allow AccA to assume the role.信任关系将允许 AccA 承担该角色。A lambda execution role in AccA would have permissions to assume the role from AccB (ie
sts:AssumeRole).AccA 中的lambda 执行角色将有权代入 AccB 的角色(即sts:AssumeRole)。The lambda would use STS service to explicitly assume the role .
lambda 将使用 STS 服务明确承担该角色。 The call to STS would return temporary IAM credentials.对 STS 的调用将返回临时 IAM 凭证。 The credentials would allow you to create a session in your lambda function to trigger ECS tasks in AccB.凭据将允许您在 lambda function 中创建 session 以触发 AccB 中的 ECS任务。
How to assume the role in lambda from AccB is explained in the following AWS blog post :以下AWS 博客文章解释了如何从 AccB 承担 lambda 中的角色:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.