英文:
aws lambda function can't update ecs service
问题
尝试使用Python的boto3更新ECS服务时,我遇到了以下错误:
> 调用UpdateService操作时发生了错误 (AccessDeniedException):User: arn:aws:sts::xxx:assumed-role/infra-conductors/infra-conductors 未被授权执行iam:PassRole操作,资源为:arn:aws:iam::xxx:role/ecs/ecsTaskExecutionRole-test,在服务控制策略中明确拒绝了此操作
但我已经为此Lambda添加了权限和信任策略:
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::xxx:role/ecs/ecsTaskExecutionRole-test"
],
"Sid": "test"
}
以及:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com",
"ecs.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
顺便说一下,我还为此Lambda附加了其他权限,它可以重新启动ECS服务或更改desiredCount
,但当我尝试更改任务定义时,我遇到了此错误。
英文:
When trying to update_service of a ecs service using python boto3, i got the error is like this:
> An error occurred (AccessDeniedException) when calling the UpdateService operation: User: arn:aws:sts::xxx:assumed-role/infra-conductors/infra-conductors is not authorized to perform: iam:PassRole on resource: arn:aws:iam::xxx:role/ecs/ecsTaskExecutionRole-test with an explicit deny in a service control policy
but i've already added permissions and trust policy to this lambda:
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::xxx:role/ecs/ecsTaskExecutionRole-test"
],
"Sid": "test"
},
and,
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com",
"ecs.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
BTW, i attached other permissions to this lambda, and it can reboot a ecs service or change the desiredCount
, but when i trying to change the taskdef, i got this error.
答案1
得分: 3
错误信息表示它被拒绝了,带有“显式拒绝”的信息。这意味着在某处存在一个明确拒绝你正在尝试的操作的策略。由于deny
语句始终优先于任何allow
,所以首先你需要找到带有deny
的策略并移除deny
。
英文:
The error says that it was denied with an explicit deny
. This means, that somewhere, there is a policy that explicitly denies what you are trying to do. Since deny
statement always takes precedence over any allow
, first you have to find the policy with the deny
and remove the deny
.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论