没有任务角色的 AWS CDK ECS 任务定义
[英]AWS CDK ECS Task Definition Without Task Role
问题描述
In AWS CDK v2 the ECS TaskDefinition L2 construct has an optional property TaskRole if not specified CDK default behavior is to create a task role.
在 AWS CDK v2 中,ECS TaskDefinition L2 构造具有可选属性 TaskRole,如果未指定,则 CDK 默认行为是创建任务角色。 However I do not want a task role set for this resource, it is not actually required in AWS - the Task Definition can function without this property.但是我不想为此资源设置任务角色,AWS 实际上不需要它 - 没有此属性的任务定义可以 function。 How can i manage that in CDK?我如何在 CDK 中管理它? I can't see any way to unset that task role or not have it generated in the first place.我看不出有什么方法可以取消该任务角色的设置,或者一开始就没有生成它。 Do I need to step back to the L1 construct for this?我是否需要为此退回到 L1 结构? My configuration:我的配置:
taskDefinition := awsecs.NewEc2TaskDefinition(stack, jsii.String(deploymentEnv+service.Tag+"TaskDef"), &awsecs.Ec2TaskDefinitionProps{
Family: jsii.String(deploymentEnv + service.Tag),
NetworkMode: awsecs.NetworkMode_BRIDGE,
//TaskRole: what can i do here to fix this
Volumes: &[]*awsecs.Volume{
&efs_shared_volume,
},
})
2 个解决方案
解决方案1
3 2023-01-17 19:34:10
In the CDK, it's necessary because the L2 construct implements the Grantable interface, and its methods depend on the existence of the role.在 CDK 中,这是必要的,因为 L2 构造实现了Grantable接口,其方法取决于角色的存在。 Technically , you can override almost any property on any node which would allow you to get this effect, but that may result in difficult to track errors down the road.从技术上讲,您可以覆盖任何节点上的几乎任何属性,这将使您获得这种效果,但这可能会导致难以追踪错误。
Additionally, if no role is specified for a task definition, your tasks inherit permissions from the EC2 instance role in the cluster, which is almost certainly not a behavior you want.此外,如果没有为任务定义指定角色,您的任务将从集群中的 EC2 实例角色继承权限,这几乎肯定不是您想要的行为。 If that is the behavior you want, you're better off explicitly defining the role to be the same as the role used in the EC2 cluster.如果那是您想要的行为,您最好将角色显式定义为与 EC2 集群中使用的角色相同。
Alternatively, if your intention is to make your tasks have no permissions, your best bet is to either stick with the default behavior or explicitly define a role with no attached policies then (optionally) pass the object returned by the .withoutPolicyUpdates on the role object to prevent it from being updated by grants.或者,如果您打算让您的任务没有权限,您最好的选择是要么坚持默认行为,要么显式定义一个没有附加策略的角色,然后(可选)传递角色.withoutPolicyUpdates上的 .withoutPolicyUpdates 返回的 object以防止它被赠款更新。
const role = new iam.Role(this, 'Role', {
assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
description: 'Empty ECS task role with no permissions',
});
// ...
taskDefinition := awsecs.NewEc2TaskDefinition(stack, jsii.String(deploymentEnv+service.Tag+"TaskDef"), &awsecs.Ec2TaskDefinitionProps{
// ...
TaskRole: role.withoutPolicyUpdates(),
// ...
},
})
解决方案2
2 2023-01-17 18:22:28
You can remove arbitrary child constructs by ID, using the tryRemoveChild escape hatch method:您可以使用tryRemoveChild escape hatch方法按 ID 删除任意子构造:
taskDefinition.Node().TryRemoveChild(jsii.String("TaskRole"))
The trick is identifying the construct ID.诀窍是识别构造 ID。 You sometimes need to look for it in the source code .有时您需要在源代码中查找它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.