【问题标题】:ECS Fargate Service - who needs to access KMS for Secrets?ECS Fargate 服务 - 谁需要访问 KMS 以获取 Secrets?
【发布时间】:2019-11-22 22:08:07
【问题描述】:

我正在尝试设置 ECS 服务,该服务将使用 MySQL 和 Webserver 运行单个任务。我想从SSM Parameter Store 注入一些运行时参数作为环境变量。其中一些将是纯文本,但有些将使用KMS 加密。所以假设我有以下任务定义:

{
  "ipcMode": null,
  "executionRoleArn": "arn:aws:iam::657433956652:role/ecsTaskExecutionRole",
  "containerDefinitions": [
    {
      "logConfiguration": {
        "logDriver": "awslogs",
        "options": {
          "awslogs-group": "/ecs/wordpress-test",
          "awslogs-region": "eu-central-1",
          "awslogs-stream-prefix": "ecs"
        }
      },
      "entryPoint": null,
      "portMappings": [
        {
          "hostPort": 80,
          "protocol": "tcp",
          "containerPort": 80
        }
      ],
      "memoryReservation": 512,
      "name": "wordpress"
    },
    {
      "dnsSearchDomains": null,
      "logConfiguration": {
        "logDriver": "awslogs",
        "secretOptions": null,
        "options": {
          "awslogs-group": "/ecs/wordpress-test",
          "awslogs-region": "eu-central-1",
          "awslogs-stream-prefix": "ecs"
        }
      },
      "secrets": [
        {
          "valueFrom": "arn:aws:ssm:eu-central-1:657433956652:parameter/project/dev/db.connection.default.password",
          "name": "MYSQL_ROOT_PASSWORD"
        }
      ],
      "memoryReservation": 512,
      "name": "mysql"
    }
  ],
  "placementConstraints": [],
  "memory": "1024",
  "taskRoleArn": "arn:aws:iam::657433956652:role/ecsTaskExecutionRole",
  "compatibilities": [
    "FARGATE"
  ],
  "taskDefinitionArn": "arn:aws:ecs:eu-central-1:657433956652:task-definition/wordpress-test:1",
  "family": "wordpress-test",
  "networkMode": "awsvpc",
  "cpu": "512",
}

问题是:哪个角色应该有权读取SSM Parameter Store 和用于加密SecureStrings 参数的密钥?实际动态创建服务的应该是 Service、Cluster 还是 Pipeline?

【问题讨论】:

    标签: amazon-web-services amazon-iam aws-fargate aws-kms


    【解决方案1】:

    您的ecsTaskExecutionRole 应该有权访问 SSM 参数。

    创建内联策略并将该策略附加到 arn:aws:iam::657433956652:role/ecsTaskExecutionRole

    来自文档示例,

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "ssm:GetParameters",
            "secretsmanager:GetSecretValue",
            "kms:Decrypt"
          ],
          "Resource": [
            "arn:aws:ssm:<region>:<aws_account_id>:parameter/parameter_name",
            "arn:aws:secretsmanager:<region>:<aws_account_id>:secret:secret_name",
            "arn:aws:kms:<region>:<aws_account_id>:key/key_id"
          ]
        }
      ]
    }
    

    https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html#secrets-iam

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 2022-11-14
      • 1970-01-01
      • 2021-07-04
      • 2021-05-21
      • 2020-08-14
      • 2020-04-30
      • 1970-01-01
      相关资源
      最近更新 更多