62

从控制台,我正在调用一个提交批处理作业的 lambda。批处理作业失败,表明 ECS 无法承担为执行作业定义而提供的角色。

对于角色,我添加了 lambda 和 ECS 服务。

错误信息:

“ECS 无法承担为此任务提供的角色‘arn:aws:iam::749340585813:role/golfnow-invoke-write-progress’。请验证所传递的角色是否具有正确的信任关系和权限,并且您的 IAM 用户有权传递此角色。”

"TrainingJobRole": {
  "Type": "AWS::IAM::Role",
  "Properties": {
    "RoleName": "golfnow-invoke-write-progress",
    "AssumeRolePolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": [
              "lambda.amazonaws.com",
              "ecs.amazonaws.com"
            ]
          },
          "Action": [
            "sts:AssumeRole"
          ]
        }
      ]
    },
    "Path": "/"
  }
}

批处理作业:

    "TrainingJob": {
  "Type": "AWS::Batch::JobDefinition",
  "Properties": {
    "Type": "container",
    "JobDefinitionName": {
      "Fn::Sub": "c12e-golfnow-${Environment}-job"
    },
    "ContainerProperties": {
      "Image": {
        "Fn::Join": [
          "",
          [
            "{{ image omitted }}",
            {
              "Ref": "AWS::Region"
            },
            ".amazonaws.com/amazonlinux:latest"
          ]
        ]
      },
      "Vcpus": 2,
      "Memory": 2000,
      "Command": [
        "while", "True", ";", "do", "echo", "'hello';", "done"
      ],
      "JobRoleArn": {
        "Fn::GetAtt": [
          "TrainingJobRole",
          "Arn"
        ]
      }
    },
    "RetryStrategy": {
      "Attempts": 1
    }
  }
},
"JobQueue": {
  "Type": "AWS::Batch::JobQueue",
  "Properties": {
    "Priority": 1,
    "ComputeEnvironmentOrder": [
      {
        "Order": 1,
        "ComputeEnvironment": {
          "Ref": "ComputeEnvironment"
        }
      }
    ]
  }
}

调用方式有问题吗?我的用户具有管理员权限,所以我认为这不是我的用户权限不足的问题。

4

4 回答 4

86

您必须将主体“ecs-tasks.amazonaws.com”添加到提交批处理作业的角色的信任策略(不是“ecs.amazonaws.com”)。

修改后的角色:

"TrainingJobRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "RoleName": "golfnow-invoke-write-progress",
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "lambda.amazonaws.com",
                  "ecs-tasks.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/"
      }
    },
于 2018-02-27T19:32:55.253 回答
2

对于那些用 Java 编写 CDK 脚本的人,在定义 时TaskDefinition您不必显式提供任何taskRoleand executionRole. CDK 将为您创建适当的角色。

于 2020-10-16T09:09:23.703 回答
1

您需要向 ECS 添加信任策略才能调用 Batch 服务。

   "Principal": {
      "Service":  [
            "batch.amazonaws.com"
      ]
    },
于 2018-02-27T00:41:55.387 回答
0

通过在 CDK 脚本中添加角色名称解决了我的问题。

 const ecsFargateServiceRole = new iam.Role(this, 'execution-role', {
  assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
  roleName: "execution-role"
});
ecsFargateServiceRole.addToPolicy(executionRolePolicy);
于 2022-01-29T13:07:40.330 回答