stackoom
  简体   繁体   中英

IAM Error while using ecs-cli

 原文  2016-11-11 18:17:48       amazon-web-services/ docker-compose/ amazon-ecs

Question

I'm trying to create a new Task for ECS using a compose file, but i'm getting an AccessDeniedException even when my user has the required permissions. 

$ ecs-cli compose --project-name test create
WARN[0000] Skipping unsupported YAML option for service...  option name=build service name=builder
WARN[0000] Skipping unsupported YAML option for service...  option name=restart service name=db
WARN[0000] Skipping unsupported YAML option for service...  option name=restart service name=dbadmin
WARN[0000] Skipping unsupported YAML option for service...  option name=restart service name=app
ERRO[0001] Error registering task definition             error=AccessDeniedException: User: arn:aws:iam::XXXXXXX:user/foo is not authorized to perform: ecs:RegisterTaskDefinition on resource: *
    status code: 400, request id: 41e6b69a-a839-11e6-84b0-e9bc2ec3f81b family=ecscompose-test
ERRO[0001] Create task definition failed                 error=AccessDeniedException: User: arn:aws:iam::XXXXXXX:user/foo is not authorized to perform: ecs:RegisterTaskDefinition on resource: *
    status code: 400, request id: 41e6b69a-a839-11e6-84b0-e9bc2ec3f81b
FATA[0001] AccessDeniedException: User: arn:aws:iam::XXXXXXX:user/foo is not authorized to perform: ecs:RegisterTaskDefinition on resource: *
    status code: 400, request id: 41e6b69a-a839-11e6-84b0-e9bc2ec3f81b

The user have this policy attached: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:RegisterTaskDefinition",
                "ecs:ListTaskDefinitions",
                "ecs:DescribeTaskDefinition"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

I also tried attaching the AmazonEC2ContainerServiceFullAccess (that have ecs:*), but didn't work.

3 answers

solution1
 0  2016-11-17 11:20:03

I believe this posting has some answers as to why the above error is happening, thought not a fix.

Trouble deploying docker on AWS with ecs-cli

"From what I understand, ecs-cli has a very limited support of the complete Docker Compose file syntax"

per user Dolan Antenucci

Note the warnings "WARN[0000] Skipping unsupported YAML option for service..."

solution2
 0  2016-11-17 14:53:44

ECS does not support a big chunk of the compose settings. However, it should just print warnings and ignore them, which will produce unintended results, but should not be throwing permission issues.

When you see 400 AccessDeniedExceptions that are in the form of "user_arn not authorized to perform service:action on service_resource" it is definitely an IAM issue. However, the IAM policy you listed looks correct. My thinking is that you are somehow not using the correct user credentials, or that the IAM policy is not applied correctly to the user.

solution3
 0 ACCPTED  2016-11-25 17:41:20

发现了问题,我正在使用的用户具有使用MFA(MultiFactor Auth)的策略,而ecs-cli不支持该策略。

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Unable to assume service linked role when using ecs-cli Deploying multi-container docker application to AWS ECS Fargate using ECS-CLI Trouble deploying docker on AWS with ecs-cli Deploying docker compose on aws using ecs-cli gives me errors What commands/config can I use to deploy a django+postgres+nginx using ecs-cli? deploy ecs-cli fargate cluster with load balancer Why ecs-cli service up has not completed for a long time YAML properties from AWS ECS-CLI compose are not documented Is it possible to register task Definitions with ecs-cli compose? ecs-cli up command - attaching own instance profile
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM