如何解决ECS Fargate任务无法访问另一个帐户中的s3
我的“ AccountA”中有一个计划的ECS Fargate任务正在运行。该任务需要访问另一个aws帐户“ AccountB”中的s3存储桶。
AccountA中的ECS任务承担角色“ AccountA_ECSTaskRole”。 我已经在AccountB中创建了一个角色“ AccountB_S3AccessBucketRole”,以允许IAM角色“ AccountA_ECSTaskRole”访问AccountB中的S3存储桶。
AccountB_S3AccessBucketRole策略如下:
{
"Version": "2012-10-17","Statement": [
{
"Action": [
"s3:ListBucket","s3:GetBucketLocation"
],"Effect": "Allow","Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME"
},{
"Effect": "Allow","Action": [
"s3:GetObject","s3:PutObject"
],"Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME/*"
}
]
}
承担角色政策:
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Action": "sts:AssumeRole","Principal": {
"AWS": "AccountA_ECSTaskRole_ARN"
}
}
]
}
我的任务是运行aws s3 cp myfiletocopy s3://ACCOUNTB_BUCKET_NAME/
的Docker容器。
我在任务定义中将taskRoleArn指定为AccountA_ECSTaskRole_ARN。 ECS代理似乎在我的容器中正确设置了AWS_CONTAINER_CREDENTIALS_RELATIVE_URI环境变量,因为我可以回显它。
还是我得到:调用PutObject操作时发生错误(AccessDenied):访问被拒绝
解决方法
在此steps中,我看到您缺少sts:AssumeRole操作的“资源”属性。
,我通过为ACCOUNTB_BUCKET_NAME(而非角色)设置存储区策略来使其正常工作,如下所示:
{
"Version": "2012-10-17","Statement": [
{
"Action": [
"s3:ListBucket","s3:GetBucketLocation"
],"Principal": {
"AWS": "AccountA_ECSTaskRole_ARN"
},"Effect": "Allow","Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME"
},{
"Effect": "Allow","Principal": {
"AWS": "AccountA_ECSTaskRole_ARN"
},"Action": [
"s3:GetObject","s3:PutObject"
],"Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME/*"
}
]
}
并设置AccountA_ECSTaskRole以访问ACCOUNTB_BUCKET_NAME:
{
"Version": "2012-10-17","Statement": [
{
"Action": [
"s3:ListBucket","s3:GetBucketLocation"
],"Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME"
},{
"Effect": "Allow","Action": [
"s3:GetObject","s3:PutObject"
],"Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME/*"
}
]
}