AWS Batch 容器无法通过 aws-cli 访问 S3
[英]AWS Batch container cannot access S3 via aws-cli
问题描述
I'm trying to run an AWS Batch job, but it is failing when calling aws-cli to copy data from s3 into the container.
我正在尝试运行 AWS Batch 作业,但在调用aws-cli将数据从 s3 复制到容器时失败。 The error message is as follows:错误信息如下:
fatal error: Unable to locate credentials
My job definition has an execution role with two managed policies: AmazonS3FullAccess and AmazonECSTaskExecutionRolePolicy .我的作业定义有一个具有两个托管策略的执行角色: AmazonS3FullAccess和AmazonECSTaskExecutionRolePolicy 。 The container image is built from the default ubuntu:22.04 image, and has an entry point file similar to:容器镜像是从默认的ubuntu:22.04镜像构建的,并且有一个类似于以下内容的入口点文件:
#!/bin/bash
set -ex
aws s3 cp ...
I've also been reading the following question: ECS Fargate task not applying role , which states that the container should have a variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI , but I don't have that.我也一直在阅读以下问题: ECS Fargate task not applying role ,它指出容器应该有一个变量AWS_CONTAINER_CREDENTIALS_RELATIVE_URI ,但我没有。 I've added a declare -x in my entry point, and this is its output when I execute the Batch job:我在我的入口点添加了一个declare -x ,这是我执行批处理作业时的 output:
declare -x AWS_BATCH_CE_NAME="MyCluster"
declare -x AWS_BATCH_JOB_ATTEMPT="1"
declare -x AWS_BATCH_JOB_ID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
declare -x AWS_BATCH_JQ_NAME="MyQueue"
declare -x AWS_DEFAULT_REGION="us-west-2"
declare -x AWS_EXECUTION_ENV="AWS_ECS_FARGATE"
declare -x AWS_REGION="us-west-2"
declare -x DEBIAN_FRONTEND="noninteractive"
declare -x ECS_CONTAINER_METADATA_URI="http://111.111.111.1/v3/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxx"
declare -x ECS_CONTAINER_METADATA_URI_V4="http://111.111.111.1/v4/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxx"
declare -x HOME="/root"
declare -x HOSTNAME="ip-111-11-1-111.us-west-2.compute.internal"
declare -x OLDPWD
declare -x PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
declare -x PWD="/"
declare -x SHLVL="1"
Also, when setting up a Fargate cluster, I can see that a Task Definition has a "Task Role" in addition to the execution role.此外,在设置 Fargate 集群时,我可以看到任务定义除了执行角色外还有一个“任务角色”。 My understanding is that the "Task Role" is a role defined inside the container, while the execution role is defined to setup the container.我的理解是“任务角色”是在容器内部定义的角色,而执行角色则定义为设置容器。 In Batch, there is no such "Task Role".在 Batch 中,没有这样的“任务角色”。 So, my question is, how can I authorize my container to access my AWS resources with aws-cli inside the container?所以,我的问题是,如何授权我的容器使用容器内的aws-cli访问我的 AWS 资源?
1 个解决方案
解决方案1
2 已采纳 2022-05-05 20:10:24
I finally figured out how to pass permissions to the container.我终于想出了如何将权限传递给容器。 The Job Definition has a "Job Role" which is passed directly to the ECS Task Role, but that configuration option isn't available in the AWS Console.作业定义有一个直接传递给 ECS 任务角色的“作业角色”,但该配置选项在 AWS 控制台中不可用。 One must register the Job Definition via API or CLI, in the --container-properties parameter:必须通过 API 或 CLI 在--container-properties参数中注册作业定义:
aws batch register-job-definition --container-properties '{"jobRoleArn": "...","executionRoleArn": "..."}' ...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.