我应该为 AWS ECS Service Connect TLS 设置什么角色?

问题描述 投票:0回答:1

我正在使用 terraform aws_esc_service 资源创建具有服务连接的 ECS 服务,并且我想启用 tls。它要我设置一个 role_arn

 tls {
        role_arn = var.service_connect_tls_role_arn
        issuer_cert_authority {
          aws_pca_authority_arn = var.service_connect_pca_arn
        }
      }

这是我创建的角色

resource "aws_iam_role" "cdr_client_ecs_service_tls_role" {
  name = "cdr-client-ecs-service-tls-role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [{
      Action = "sts:AssumeRole",
      Effect = "Allow",
      Principal = {
        Service = "ecs-tasks.amazonaws.com"
      }
    }]
  })

  inline_policy {
    name = "cdr-client-ecs-service-tls-policy"
    policy = jsonencode({
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Action" : [
            "acm-pca:DescribeCertificateAuthority"
          ],
          "Effect" : "Allow",
          "Resource" : "*",
        }
      ]
    })
  }
}

当我应用这个时,我得到

错误:创建 ECS 服务(客户端超级):InvalidParameterException:无法承担角色 arn:aws:iam::111111111:role/cdr-client-ecs-service-tls-role

角色应该如何配置?

amazon-ecs
1个回答
0
投票

该角色应由 

ecs.amazonaws.com
ecs-tasks.amazonaws.com
服务承担,并且必须包括 
AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity
托管策略。

resource "aws_iam_role" "ecs_service_connect_for_tls" {
  name = "ecs-service-connect-for-tls"
  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Effect = "Allow",
        Principal = {
          Service = ["ecs.amazonaws.com", "ecs-tasks.amazonaws.com"]
        },
        Action = "sts:AssumeRole"
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "ecs_service_connect_for_tls" {
  for_each = toset([
    "arn:aws:iam::aws:policy/service-role/AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity"
  ])
  role       = aws_iam_role.ecs_service_connect_for_tls.name
  policy_arn = each.key
}

如果使用 KMS 密钥来加密和解密 Service Connect 资源,您必须通过配置基于 KMS 密钥资源的策略来授予该角色必要的权限。

resource "aws_kms_key" "ecs_service_connect_key" {
  description             = "KMS key for ECS Service Connect automatic traffic encryption"
  deletion_window_in_days = 7

  policy = jsonencode({
    "Version" : "2012-10-17",
    "Id" : "ECSServiceConnectKMSKeyPolicy",
    "Statement" : [
      {
        "Sid" : "Enable IAM User Permissions",
        "Effect" : "Allow",
        "Principal" : {
          "AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
        },
        "Action" : "kms:*",
        "Resource" : "*"
      },
      {
        "Sid" : "Allow ECS Service Connect for TLS to Use the Key",
        "Effect" : "Allow",
        "Principal" : {
          AWS = aws_iam_role.ecs_service_connect_for_tls.arn
        },
        "Action" : [
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:GenerateDataKey",
          "kms:GenerateDataKeyPair"
        ],
        "Resource" : "*"
      }
    ]
  })
}
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.