1

我有 Fargate 的 ECS 服务,它有两个容器

我有 IAM 角色 arn:aws:iam::468589876897:role/app/my-test-app,这个角色被添加到我的 ecs task_role 和 execution_role

我也有一个路径 /myapp/secret/key_1-zbv0eq 的秘密,它具有如下权限

"Effect":"Deny",
"action" : "secretsmanager:getsecretvalue", "resource" : "*", "condition" : { "arnnotlike" : { "aws:principalarn" : [ "arn:aws:iam::468589876897:role/app/my-test-app" ] } } }

我有下面的代码来阅读我的秘密经理

      String secretName = "/myapp/secret/key_1-zbv0eq";
      String endpoint = "secretsmanager.us-west-2.amazonaws.com";
      String region = "us-west-2";

      AwsClientBuilder.EndpointConfiguration config = new AwsClientBuilder.EndpointConfiguration(endpoint, region);
      AWSSecretsManagerClientBuilder clientBuilder = AWSSecretsManagerClientBuilder.standard();
      clientBuilder.setEndpointConfiguration(config);
      AWSSecretsManager client = clientBuilder.build();

      String secret;
      ByteBuffer binarySecretData;
      GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest()
              .withSecretId(secretName).withVersionStage("AWSCURRENT");
      GetSecretValueResult getSecretValueResult = null;
      try {
          getSecretValueResult = client.getSecretValue(getSecretValueRequest);

      } catch(ResourceNotFoundException e) {
          System.out.println("The requested secret " + secretName + " was not found");
      } catch (InvalidRequestException e) {
          System.out.println("The request was invalid due to: " + e.getMessage());
      } catch (InvalidParameterException e) {
          System.out.println("The request had invalid params: " + e.getMessage());
      }

       
      // Depending on whether the secret was a string or binary, one of these fields will be populated
      if(getSecretValueResult.getSecretString() != null) {
          secret = getSecretValueResult.getSecretString();
          System.out.println(secret);
      }
      else {
          binarySecretData = getSecretValueResult.getSecretBinary();
          System.out.println(binarySecretData.toString());
      }

  }

当我运行此代码时,出现以下错误,

user: arn:aws:sts::468589876897:assumed-role/my-test-app/41810bc3cf2b4c99ad87f641810bc3cf 
is not authorized to perform: secretsmanager:getsecretvalue on resource: 
/myapp/secret/key_1-zbv0eq (service: awssecretsmanager; status code: 400; error code: accessdeniedexception; request id: 8254cdd0-3ce4-4485-bcd8-8af4b08e6fa2

我不确定如何使用此角色arn:aws:sts::468589876897:assumed-role/my-test-app/41810bc3cf2b4c99ad87f641810bc3cf而不是arn:aws:iam::468589876897:role/app/my-test-app

我在 AWS 控制台上仔细检查过,ECS 任务具有 task_iam_role,并且容器定义中的执行角色显示为 arn:aws:iam::468589876897:role/app/my-test-app

可能缺少什么?

4

1 回答 1

0

为了检索您的凭证,您的环境必须有权访问 aws secret manager。这是通过 IAM 角色给出的,在您使用“拒绝”而不是“允许”的策略中。“获取秘密值”方法将返回一个 json,其中包含字典格式的所有凭据。您收到的错误表示您没有环境权限。我认为更改您的策略将完成您的工作(更改为“允许”获取秘密方法,如果您使用任何其他服务也允许其他服务访问,或者您可以使用秘密管理器读写 AWS 内置策略)

于 2021-05-10T11:57:53.367 回答