问题
I have the following piece of code in Cloudformation template that defines role with policy for my task that need to pull an image from my ECR registry:
TaskDefinition:
Type: 'AWS::ECS::TaskDefinition'
DependsOn:
- TaskPolicy0
Properties:
Family: !Sub '${EcsTaskDefFamily}'
TaskRoleArn: !Ref EcsTaskRole
ContainerDefinitions:
- Name: !Ref NodeContName
Essential: 'true'
Image: !Ref ImageFullName ### PULLED IMAGE
Memory: !Ref ContainerMemory
MemoryReservation: !Ref ContainerMemoryReservation
PortMappings:
- ContainerPort: !Ref NodeContainerPort
HostPort: !Ref NodeHostPort
Protocol: tcp
EcsTaskRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: !Ref EcsTaskRolePath
TaskPolicy0:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: ecr-readonly
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'ecr:GetAuthorizationToken'
- 'ecr:BatchCheckLayerAvailability'
- 'ecr:GetDownloadUrlForLayer'
- 'ecr:GetRepositoryPolicy'
- 'ecr:DescribeRepositories'
- 'ecr:ListImages'
- 'ecr:DescribeImages'
- 'ecr:BatchGetImage'
Resource: '*'
Roles:
- !Ref EcsTaskRole
But when I run my Cloudformation template I get the following error:
What is that? I have defined trust policy. I didn't defined IAM Role for Cloudformation but I am running this template from my Admin acc that has following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
EDIT
When I change my EcsTaskRolePath from "ecs/services/tasks/" to "/" (the same path that my Admin user has which I use to start the stack creation) then the error disappears and everything is fine. What is the problem? And can someone give me some info about this IAM paths, because all I found is single page on docs?
来源:https://stackoverflow.com/questions/51810911/error-with-ecs-assuming-task-role