使用 ExecutionRole 从 ECS 任务访问 Parameter Store 值时遇到问题

Question

我正在尝试将敏感数据传递给在 ECS 服务中运行的容器。我一直在关注 AWS 文档以了解如何执行此操作 (link)。我做了以下事情：

• 在 SSM 参数存储中定义 my-param
• 创建一个TaskRole（见下文）
• 在任务的 ExecutionRole 中使用 TaskRole
• 为容器实例添加环境变量

这里是任务定义：

Description: >
  An IAM Role that gives tasks access to SSM Parameter store.
  https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html

Resources:

  TaskRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub ecs-task-role-${AWS::StackName}
      Path: /
      AssumeRolePolicyDocument: |
        {
            "Statement": [{
                "Effect": "Allow",
                "Principal": { "Service": [ "ecs-tasks.amazonaws.com" ]},
                "Action": [ "sts:AssumeRole" ]
            }]
        }
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
      Policies:
        - PolicyName: !Sub ecs-task-role-${AWS::StackName}
          PolicyDocument: !Sub |
            {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "ssm:GetParameters"
                  ],
                  "Resource": [
                    "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/my-param"
                  ]
                }
              ]
            }


Outputs:
  TaskRole:
    Description: An IAM Role that gives tasks read access to SSM Parameter store parameters.
    Value: !Ref TaskRole

这是我使用此角色的任务定义：

  TaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      Family: backend
      ExecutionRoleArn: !Ref TaskRole <--- TaskRole is passed in as a parameter
      ContainerDefinitions:
        - Name: backend
          Essential: true
          Image: !Ref ImageUrl
          MemoryReservation: 128
          Command:
            - '/start_prod.sh'
          Secrets: <-- here is where I'm trying to access the parameter
            - Name: MY_PARAM 
              ValueFrom: !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/my-param"
          Environment:
            - Name: GIT_SHA
              Value: !Ref GitSHA

在我的 CloudFormation::Init LaunchConfiguration 元数据中，我添加了以下内容：

            03_enable_awslogs_executionrole_override:
              command: echo ECS_ENABLE_AWSLOGS_EXECUTIONROLE_OVERRIDE=true >> /etc/ecs/ecs.config

当我更新堆栈时，它似乎挂起，然后最终回滚并在服务上出现failed to stabilize 错误，其中我有一个任务正在尝试使用我定义的 TaskRole。

项目源码在这里：https://gitlab.com/verbose-equals-true/django-postgres-vue-gitlab-ecs

Answer 1

我只是使用过时的容器代理。来自docs：

对于使用 EC2 启动类型的任务，此功能要求您的容器实例具有 1.22.0 或更高版本的容器代理。

更新我的LaunchConfiguration 后，一切正常：

Parameters:

  ECSAMI:
    Description: AMI ID
    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
    Default: /aws/service/ecs/optimized-ami/amazon-linux/recommended/image_id
    Description: The Amazon Machine Image ID used for the cluster, leave it as the default value to get the latest AMI

  ContainerInstances:
    Type: AWS::AutoScaling::LaunchConfiguration
    Properties:
      ImageId: !Ref ECSAMI
      ...