我有一个CloudFormation模板用于build立一个ECS集群,我正试图使用ASG上的CloudFormation :: Init将一些configuration文件放到该框上,并将它们从S3中抽出。
"ECSASGLaunchConfiguration": { "Type": "AWS::AutoScaling::LaunchConfiguration", "Metadata": { "AWS::CloudFormation::Authentication": { "S3AccessCreds": { "type": "S3", "roleName": { "Ref": "ECSEC2InstanceIAMRole" } } }, "AWS::CloudFormation::Init": { "config": { "packages": { }, "groups": { }, "users": { }, "sources": { }, "files": { "/etc/dd-agent/conf.d/nginx.yaml": { "source": "https://s3.amazonaws.com/foobar/scratch/nginx.yaml", "mode": "000644", "owner": "root", "group": "root" }, "/etc/dd-agent/conf.d/docker_daemon.yaml": { "source": "https://s3.amazonaws.com/foobar/scratch/docker_daemon.yaml", "mode": "000644", "owner": "root", "group": "root" } }, "commands": { }, "services": { } } } }, 为此,我在内部添加了一个策略,用于为我的EC2实例创build的angular色,该angular色应允许来自实例的所有S3访问。
"ECSEC2InstanceIAMRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess" ], "Path": "/", "Policies": [ { "PolicyName": "otxS3access", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::foobar" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::foobar/*" } ] } } ] } }, "ECSEC2InstanceIAMProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Path": "/", "Roles": [ { "Ref": "ECSEC2InstanceIAMRole" } ] } },
但它不起作用。 我在日志中找不到错误(或其他)。 当我手动尝试从实例curl它也不工作,“ AccessDenied …”
在这种情况下,桶本身,“foobar”,没有任何特别的权限,除了没有公开,只是标准的帐户名单单承授人。
任何想法我做错了什么?
我发现了这个问题。 在这个问题中的所有CloudFormation都很好,并做它应该的。 问题出在我在ASG启动configuration中设置的实例用户数据中运行cfn-init时,这不起作用,所以它没有执行init的东西。 感谢@ Rob-d,您的评论使我走上了可执行级别的道路。
使所有这些工作的神奇的其他部分:
"UserData": { "Fn::Base64": { "Fn::Join": [ "", [ "#!/bin/bash\n", "cat > /etc/ecs/ecs.config <<EOF\n", "ECS_CLUSTER=", { "Ref": "ECSCluster" }, "\n", "ECS_ENGINE_AUTH_TYPE=docker\n", "ECS_ENGINE_AUTH_DATA={REDACTED}\n", "EOF\n", "yum -y install aws-cfn-bootstrap\n", "# Install the files and packages from the metadata\n", "/opt/aws/bin/cfn-init -v ", " --stack ", { "Ref": "AWS::StackName" }, " --resource ECSASGLaunchConfiguration ", " --region ", { "Ref": "AWS::Region" }, "\n", "/opt/aws/bin/cfn-signal -e -0 ", " --stack ", { "Ref": "AWS::StackName" }, " --resource ECSAutoScalingGroup ", " --region ", { "Ref": "AWS::Region" }, "\n", "\n" ] ] } }