AWS CDK ECS任务定义不需要任务角色

huangapple go评论91阅读模式
英文:

AWS CDK ECS Task Definition Without Task Role

问题

在AWS CDK v2中,ECS TaskDefinition L2构造器有一个可选属性TaskRole,如果未指定,则CDK的默认行为是创建一个任务角色。然而,我不想为此资源设置任务角色,在AWS中实际上不需要这个属性,任务定义可以在没有任务角色的情况下正常工作。我该如何在CDK中管理这个呢?我看不到任何取消任务角色或者在一开始就不生成它的方法。我需要回到L1构造器吗?我的配置如下:

taskDefinition := awsecs.NewEc2TaskDefinition(stack, jsii.String(deploymentEnv+service.Tag+"TaskDef"), &awsecs.Ec2TaskDefinitionProps{
			Family:      jsii.String(deploymentEnv + service.Tag), 
			NetworkMode: awsecs.NetworkMode_BRIDGE,
			//TaskRole: 在这里我该怎么做来解决这个问题
			Volumes: &[]*awsecs.Volume{
				&efs_shared_volume,
			},
		})
英文:

In AWS CDK v2 the ECS TaskDefinition L2 construct has an optional property TaskRole if not specified CDK default behavior is to create a task role. However I do not want a task role set for this resource, it is not actually required in AWS - the Task Definition can function without this property. How can i manage that in CDK? I can't see any way to unset that task role or not have it generated in the first place. Do I need to step back to the L1 construct for this? My configuration:

taskDefinition := awsecs.NewEc2TaskDefinition(stack, jsii.String(deploymentEnv+service.Tag+"TaskDef"), &awsecs.Ec2TaskDefinitionProps{
			Family:      jsii.String(deploymentEnv + service.Tag), 
			NetworkMode: awsecs.NetworkMode_BRIDGE,
			//TaskRole: what can i do here to fix this
			Volumes: &[]*awsecs.Volume{
				&efs_shared_volume,
			},
		})

答案1

得分: 3

在CDK中,这是必要的,因为L2构造实现了Grantable接口,其方法依赖于角色的存在。从技术上讲,你几乎可以覆盖任何节点上的任何属性,从而实现这种效果,但这可能导致难以跟踪的错误。

此外,如果未为任务定义指定角色,则任务将继承集群中EC2实例角色的权限,这几乎肯定不是你想要的行为。如果这是你想要的行为,最好明确定义角色与EC2集群中使用的角色相同。

或者,如果你的意图是使任务没有任何权限,你最好要么使用默认行为,要么明确定义一个没有附加策略的角色,然后(可选地)将角色对象上的.withoutPolicyUpdates返回的对象传递给阻止授予对其进行更新。

const role = new iam.Role(this, 'Role', {
  assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
  description: 'Empty ECS task role with no permissions',
});

// ...

taskDefinition := awsecs.NewEc2TaskDefinition(stack, jsii.String(deploymentEnv+service.Tag+"TaskDef"), &awsecs.Ec2TaskDefinitionProps{
            // ...
            TaskRole: role.withoutPolicyUpdates(),
            // ...
        })
英文:

In the CDK, it's necessary because the L2 construct implements the Grantable interface, and its methods depend on the existence of the role. Technically, you can override almost any property on any node which would allow you to get this effect, but that may result in difficult to track errors down the road.

Additionally, if no role is specified for a task definition, your tasks inherit permissions from the EC2 instance role in the cluster, which is almost certainly not a behavior you want. If that is the behavior you want, you're better off explicitly defining the role to be the same as the role used in the EC2 cluster.

Alternatively, if your intention is to make your tasks have no permissions, your best bet is to either stick with the default behavior or explicitly define a role with no attached policies then (optionally) pass the object returned by the .withoutPolicyUpdates on the role object to prevent it from being updated by grants.

const role = new iam.Role(this, 'Role', {
  assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
  description: 'Empty ECS task role with no permissions',
});

// ...

taskDefinition := awsecs.NewEc2TaskDefinition(stack, jsii.String(deploymentEnv+service.Tag+"TaskDef"), &awsecs.Ec2TaskDefinitionProps{
            // ...
            TaskRole: role.withoutPolicyUpdates(),
            // ...
            },
        })

答案2

得分: 2

您可以使用tryRemoveChild方法通过ID删除任意子构件,使用逃生口方法:

// 删除角色
taskDefinition.Node().TryRemoveChild(jsii.String("TaskRole"))

// 删除对角色的引用
t := taskDefinition.Node().DefaultChild().(awsecs.CfnTaskDefinition)
t.AddPropertyDeletionOverride(jsii.String("TaskRoleArn"))

关键是要识别构件的ID。有时您需要在源代码中查找它。

英文:

You can remove arbitrary child constructs by ID, using the tryRemoveChild escape hatch method:

// remove the role
taskDefinition.Node().TryRemoveChild(jsii.String("TaskRole"))

// remove the reference to the role
t := taskDefinition.Node().DefaultChild().(awsecs.CfnTaskDefinition)
t.AddPropertyDeletionOverride(jsii.String("TaskRoleArn"))

The trick is identifying the construct ID. You sometimes need to look for it in the source code.

huangapple
  • 本文由 发表于 2023年1月18日 01:29:25
  • 转载请务必保留本文链接:https://go.coder-hub.com/75150109.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定