【问题标题】:AWS CredentialProviders fail to retrieve credentials in FargateAWS CredentialProviders 无法在 Fargate 中检索凭证
【发布时间】:2021-01-24 21:55:54
【问题描述】:

我正在 AWS Fargate 中运行一个使用 SecretsManager 的 SpringBoot 应用程序。这是我作为凭证提供者提供给 AWS 开发工具包的内容:

public class ProfiledCredentialsProvider extends AWSCredentialsProviderChain {

    public ProfiledCredentialsProvider(@Nullable final String profile) {
        super(new DefaultAWSCredentialsProviderChain(), new EC2ContainerCredentialsProviderWrapper(),
                new EnvironmentVariableCredentialsProvider(), new SystemPropertiesCredentialsProvider(),
                StringUtils.isBlank(profile) ? new ProfileCredentialsProvider()
                        : new ProfileCredentialsProvider(profile));
        this.setReuseLastProvider(true);
    }

}

这使我可以使用备用 AWS 配置文件在本地运行此应用程序。但是,当我在 Fargate 中运行这个应用程序时,我得到了以下堆栈跟踪:

com.amazonaws.SdkClientException: Unable to load AWS credentials from any provider in the chain: [com.amazonaws.auth.DefaultAWSCredentialsProviderChain@3439f68d: Unable to load AWS credentials from any provider in the chain: [EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), WebIdentityTokenCredentialsProvider: To use assume role profiles the aws-java-sdk-sts module must be on the class path., com.amazonaws.auth.profile.ProfileCredentialsProvider@1cab0bfb: profile file cannot be null, com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@140e5a13: Failed to connect to service endpoint: ], com.amazonaws.auth.EC2ContainerCredentialsProviderWrapper@dbd940d: Failed to connect to service endpoint: , EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)), SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey), com.amazonaws.auth.profile.ProfileCredentialsProvider@71d15f18: profile file cannot be null]
    at com.amazonaws.auth.AWSCredentialsProviderChain.getCredentials(AWSCredentialsProviderChain.java:136) ~[aws-java-sdk-core-1.11.793.jar!/:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1257) ~[aws-java-sdk-core-1.11.793.jar!/:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.runBeforeRequestHandlers(AmazonHttpClient.java:833) ~[aws-java-sdk-core-1.11.793.jar!/:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:783) ~[aws-java-sdk-core-1.11.793.jar!/:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:770) ~[aws-java-sdk-core-1.11.793.jar!/:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:744) ~[aws-java-sdk-core-1.11.793.jar!/:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:704) ~[aws-java-sdk-core-1.11.793.jar!/:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:686) ~[aws-java-sdk-core-1.11.793.jar!/:na]
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:550) ~[aws-java-sdk-core-1.11.793.jar!/:na]
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:530) ~[aws-java-sdk-core-1.11.793.jar!/:na]
    at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.doInvoke(AWSSecretsManagerClient.java:2634) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
    at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.invoke(AWSSecretsManagerClient.java:2601) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
    at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.invoke(AWSSecretsManagerClient.java:2590) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
    at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.executeGetSecretValue(AWSSecretsManagerClient.java:1213) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]
    at com.amazonaws.services.secretsmanager.AWSSecretsManagerClient.getSecretValue(AWSSecretsManagerClient.java:1184) ~[aws-java-sdk-secretsmanager-1.11.793.jar!/:na]

这是我task-definition.json的摘录:

{
  "family": "transfer-services-api",
  "executionRoleArn": "arn:aws:iam::************:role/ecs-task-execution-role"  
  "requiresCompatibilities": [
    "FARGATE"
  ]
}

在“信任关系”中:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

并附加策略AmazonECSTaskExecutionRolePolicy(未设置权限边界)。 任何帮助都会很棒,谢谢。

【问题讨论】:

  • 这正是我在评论您之前的问题时警告您的情况。如果您只是删除所有凭证提供程序代码,在 AWS 之外运行时使用环境变量,并在 AWS 上运行时允许默认的 SDK 行为,事情往往会更加顺利。
  • @MarkB 感谢您的评论,我现在才阅读。我明白你在说什么,但设置环境变量AWS_PROFILE 在本地对我不起作用。不过,我不太关心本地运行,所以我继续并删除了任何凭据提供程序的注入,但我仍然遇到类似的错误(加上/减去链中的一些凭据提供程序)。
  • 您是设置任务角色,还是仅设置执行角色?您需要指定任务角色才能从 ECS 任务内运行的代码访问 AWS 资源。
  • @MarkB mmh 我很可能只是设置了一个任务执行角色。我在哪里指定任务角色?它是我的任务定义中的不同条目吗?

标签: amazon-web-services aws-sdk amazon-iam aws-fargate


【解决方案1】:

您需要分配一个任务角色。执行角色使 ECS 可以访问 ECR 和 SecretsManager 等资源,以执行您的 ECS 任务。任务角色使您的任务代码能够访问其他 AWS 资源。请参阅文档here

【讨论】:

    猜你喜欢
    • 2016-05-06
    • 2020-11-06
    • 1970-01-01
    • 2015-10-03
    • 1970-01-01
    • 2016-09-02
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多