stackoom
  简体   繁体   中英

AWS Batch container cannot access S3 via aws-cli

 原文  2022-05-02 18:35:18       amazon-web-services/ aws-cli/ aws-batch

Question

I'm trying to run an AWS Batch job, but it is failing when calling aws-cli to copy data from s3 into the container. The error message is as follows:

fatal error: Unable to locate credentials

My job definition has an execution role with two managed policies: AmazonS3FullAccess and AmazonECSTaskExecutionRolePolicy . The container image is built from the default ubuntu:22.04 image, and has an entry point file similar to:

#!/bin/bash
set -ex

aws s3 cp ...

I've also been reading the following question: ECS Fargate task not applying role , which states that the container should have a variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI , but I don't have that. I've added a declare -x in my entry point, and this is its output when I execute the Batch job:

declare -x AWS_BATCH_CE_NAME="MyCluster"
declare -x AWS_BATCH_JOB_ATTEMPT="1"
declare -x AWS_BATCH_JOB_ID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
declare -x AWS_BATCH_JQ_NAME="MyQueue"
declare -x AWS_DEFAULT_REGION="us-west-2"
declare -x AWS_EXECUTION_ENV="AWS_ECS_FARGATE"
declare -x AWS_REGION="us-west-2"
declare -x DEBIAN_FRONTEND="noninteractive"
declare -x ECS_CONTAINER_METADATA_URI="http://111.111.111.1/v3/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxx"
declare -x ECS_CONTAINER_METADATA_URI_V4="http://111.111.111.1/v4/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxx"
declare -x HOME="/root"
declare -x HOSTNAME="ip-111-11-1-111.us-west-2.compute.internal"
declare -x OLDPWD
declare -x PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
declare -x PWD="/"
declare -x SHLVL="1"

Also, when setting up a Fargate cluster, I can see that a Task Definition has a "Task Role" in addition to the execution role. My understanding is that the "Task Role" is a role defined inside the container, while the execution role is defined to setup the container. In Batch, there is no such "Task Role". So, my question is, how can I authorize my container to access my AWS resources with aws-cli inside the container?

1 answers

solution1
 2 ACCPTED  2022-05-05 20:10:24

I finally figured out how to pass permissions to the container. The Job Definition has a "Job Role" which is passed directly to the ECS Task Role, but that configuration option isn't available in the AWS Console. One must register the Job Definition via API or CLI, in the --container-properties parameter:

aws batch register-job-definition --container-properties '{"jobRoleArn": "...","executionRoleArn": "..."}' ...

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to upload a file to S3 as a Cognito user by using aws-cli? Cannot connect to S3 bucket via Transmit, only via AWS CLI UnrecognizedClientException error when authenticating on aws-cli how to return items in a dynamodb on aws-cli How to install aws-cli on alpine? JupyterHub access AWS S3 s3:listallbuckets works on aws console but not on cli aws vpc s3 endpoint cli syntax aws-cli 2 permission denied error in linux after installation AWS-CLI: How do I filter autoscalinggroups
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM