AWS Lambda 函数无法更新 ECS 服务。

huangapple go评论71阅读模式
英文:

aws lambda function can't update ecs service

问题

尝试使用Python的boto3更新ECS服务时,我遇到了以下错误:

> 调用UpdateService操作时发生了错误 (AccessDeniedException):User: arn:aws:sts::xxx:assumed-role/infra-conductors/infra-conductors 未被授权执行iam:PassRole操作,资源为:arn:aws:iam::xxx:role/ecs/ecsTaskExecutionRole-test,在服务控制策略中明确拒绝了此操作

但我已经为此Lambda添加了权限和信任策略:

{
    "Action": [
        "iam:PassRole"
    ],
    "Effect": "Allow",
    "Resource": [
        "arn:aws:iam::xxx:role/ecs/ecsTaskExecutionRole-test"
    ],
    "Sid": "test"
}

以及:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "lambda.amazonaws.com",
                    "ecs.amazonaws.com",
                    "ecs-tasks.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

顺便说一下,我还为此Lambda附加了其他权限,它可以重新启动ECS服务或更改desiredCount,但当我尝试更改任务定义时,我遇到了此错误。

英文:

When trying to update_service of a ecs service using python boto3, i got the error is like this:

> An error occurred (AccessDeniedException) when calling the UpdateService operation: User: arn:aws:sts::xxx:assumed-role/infra-conductors/infra-conductors is not authorized to perform: iam:PassRole on resource: arn:aws:iam::xxx:role/ecs/ecsTaskExecutionRole-test with an explicit deny in a service control policy

but i've already added permissions and trust policy to this lambda:

{
        "Action": [
            "iam:PassRole"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:iam::xxx:role/ecs/ecsTaskExecutionRole-test"
        ],
        "Sid": "test"
    },

and,

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
            "Service": [
                "lambda.amazonaws.com",
                "ecs.amazonaws.com",
                "ecs-tasks.amazonaws.com"
            ]
        },
        "Action": "sts:AssumeRole"
    }
]

}

BTW, i attached other permissions to this lambda, and it can reboot a ecs service or change the desiredCount, but when i trying to change the taskdef, i got this error.

答案1

得分: 3

错误信息表示它被拒绝了,带有“显式拒绝”的信息。这意味着在某处存在一个明确拒绝你正在尝试的操作的策略。由于deny语句始终优先于任何allow,所以首先你需要找到带有deny的策略并移除deny

英文:

The error says that it was denied with an explicit deny. This means, that somewhere, there is a policy that explicitly denies what you are trying to do. Since deny statement always takes precedence over any allow, first you have to find the policy with the deny and remove the deny.

huangapple
  • 本文由 发表于 2023年5月30日 11:56:35
  • 转载请务必保留本文链接:https://go.coder-hub.com/76361527.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定