Amazon Elastic Container Service
开发人员指南 (API 版本 2014-11-13)
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 Amazon AWS 入门

Amazon ECS IAM 策略示例

以下示例显示了您可用于控制 IAM 用户 Amazon ECS 权限的策略语句。

Amazon ECS 首次运行向导

Amazon ECS 首次运行向导简化了创建集群并运行您的任务和服务的过程。不过,用户需要通过多种 AWS 服务来获得执行许多 API 操作的权限才能完成此向导。以下 AmazonECS_FullAccess 托管策略说明了完成 Amazon ECS 首次运行向导所需的权限。

注意

如果您要在首次运行向导中创建 Amazon ECR 存储库,为映像添加标签并将映像推送到该存储库,然后在 Amazon ECS 任务定义中使用该映像,则您的用户还需要 AmazonEC2ContainerRegistryFullAccess 托管策略中列出的权限。有关更多信息,请参阅 Amazon ECR 托管策略

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget", "autoscaling:UpdateAutoScalingGroup", "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateLaunchConfiguration", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeleteLaunchConfiguration", "autoscaling:Describe*", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStack*", "cloudformation:UpdateStack", "cloudwatch:DescribeAlarms", "cloudwatch:DeleteAlarms", "cloudwatch:GetMetricStatistics", "cloudwatch:PutMetricAlarm", "ec2:AssociateRouteTable", "ec2:AttachInternetGateway", "ec2:AuthorizeSecurityGroupIngress", "ec2:CancelSpotFleetRequests", "ec2:CreateInternetGateway", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", "ec2:CreateVpc", "ec2:DeleteSubnet", "ec2:DeleteVpc", "ec2:Describe*", "ec2:DetachInternetGateway", "ec2:DisassociateRouteTable", "ec2:ModifySubnetAttribute", "ec2:ModifyVpcAttribute", "ec2:RequestSpotFleet", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateRule", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteRule", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTargetGroups", "ecs:*", "events:DescribeRule", "events:DeleteRule", "events:ListRuleNamesByTarget", "events:ListTargetsByRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfiles", "iam:ListRoles", "logs:CreateLogGroup", "logs:DescribeLogGroups", "logs:FilterLogEvents", "route53:GetHostedZone", "route53:ListHostedZonesByName", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetHealthCheck", "servicediscovery:CreatePrivateDnsNamespace", "servicediscovery:CreateService", "servicediscovery:GetNamespace", "servicediscovery:GetOperation", "servicediscovery:GetService", "servicediscovery:ListNamespaces", "servicediscovery:ListServices", "servicediscovery:UpdateService" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ssm:GetParametersByPath", "ssm:GetParameters", "ssm:GetParameter" ], "Resource": "arn:aws:ssm:*:*:parameter/aws/service/ecs*" }, { "Effect": "Allow", "Action": [ "ec2:DeleteInternetGateway", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DeleteSecurityGroup" ], "Resource": [ "*" ], "Condition": { "StringLike": { "ec2:ResourceTag/aws:cloudformation:stack-name": "EC2ContainerService-*" } } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ "*" ], "Condition": { "StringLike": { "iam:PassedToService": "ecs-tasks.amazonaws.com" } } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/ecsInstanceRole*" ], "Condition": { "StringLike": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn" ] } } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/ecsAutoscaleRole*" ], "Condition": { "StringLike": { "iam:PassedToService": [ "application-autoscaling.amazonaws.com", "application-autoscaling.amazonaws.com.cn" ] } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": [ "ecs.amazonaws.com", "spot.amazonaws.com", "spotfleet.amazonaws.com", "ecs.application-autoscaling.amazonaws.com" ] } } } ] }

集群

以下 IAM 策略授予创建和列出集群所需的权限。CreateClusterListClusters 操作不接受任何资源,因此,所有资源的资源定义将设置为 *

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:CreateCluster", "ecs:ListClusters" ], "Resource": [ "*" ] } ] }

以下 IAM 策略授予描述和删除特定集群所需的权限。DescribeClusterDeleteCluster 操作将集群 ARN 接受为资源。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCluster", "ecs:DeleteCluster" ], "Resource": [ "arn:aws:ecs:us-east-1:<aws_account_id>:cluster/<cluster_name>" ] } ] }

以下 IAM 策略可附加到用户或组,该策略仅允许用户或组对特定集群执行操作。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ecs:Describe*", "ecs:List*" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ecs:DeleteCluster", "ecs:DeregisterContainerInstance", "ecs:ListContainerInstances", "ecs:RegisterContainerInstance", "ecs:SubmitContainerStateChange", "ecs:SubmitTaskStateChange" ], "Effect": "Allow", "Resource": "arn:aws:ecs:us-east-1:<aws_account_id>:cluster/default" }, { "Action": [ "ecs:DescribeContainerInstances", "ecs:DescribeTasks", "ecs:ListTasks", "ecs:UpdateContainerAgent", "ecs:StartTask", "ecs:StopTask", "ecs:RunTask" ], "Effect": "Allow", "Resource": "*", "Condition": { "ArnEquals": { "ecs:cluster": "arn:aws:ecs:us-east-1:<aws_account_id>:cluster/default" } } } ] }

容器实例

虽然容器实例注册由 Amazon ECS 代理处理,但有时您可能需要允许用户从集群中手动取消注册实例。容器实例可能已意外注册到错误的集群,或者实例已终止,但仍有任务在其上运行。

以下 IAM 策略可让用户列出并取消注册指定群集中的容器类型:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeregisterContainerInstance", "ecs:ListContainerInstances" ], "Resource": [ "arn:aws:ecs:<region>:<aws_account_id>:cluster/<cluster_name>" ] } ] }

以下 IAM 策略可让用户描述指定群集中的指定容器实例:要对集群中的所有容器实例开放此权限,您可以将容器实例 UUID 替换为 *

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeContainerInstance" ], "Condition": { "ArnEquals": { "ecs:cluster": "arn:aws:ecs:<region>:<aws_account_id>:cluster/<cluster_name>" } }, "Resource": [ "arn:aws:ecs:<region>:<aws_account_id>:container-instance/<container_instance_UUID>" ] } ] }

任务定义

任务定义 IAM 策略不支持资源级权限,但以下 IAM 策略可让用户注册、列出和描述任务定义:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RegisterTaskDefinition", "ecs:ListTaskDefinitions", "ecs:DescribeTaskDefinition" ], "Resource": [ "*" ] } ] }

运行任务

任务定义是 RunTask 的资源。要限制用户可在其上运行任务定义的集群,您可以在 Condition 数据块中指定这些集群。这样做的好处是,您不必在资源中列出任务定义和集群以允许适当的访问。您可以应用任务定义和/或集群。

以下 IAM 策略授予在特定集群上运行特定任务定义的任意修订的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask" ], "Condition": { "ArnEquals": { "ecs:cluster": "arn:aws:ecs:<region>:<aws_account_id>:cluster/<cluster_name>" } }, "Resource": [ "arn:aws:ecs:<region>:<aws_account_id>:task-definition/<task_family>:*" ] } ] }

启动任务

任务定义是 StartTask 的资源。要限制用户可在其中启动任务定义的集群和容器实例,您可以在 Condition 数据块中指定它们。这样做的好处是,您不必在资源中列出任务定义和集群以允许适当的访问。您可以应用任务定义和/或集群。

以下 IAM 策略授予在特定集群和特定容器实例上开始对特定任务定义进行任意修订的权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StartTask" ], "Condition": { "ArnEquals": { "ecs:cluster": "arn:aws:ecs:<region>:<aws_account_id>:cluster/<cluster_name>", "ecs:container-instances" : [ "arn:aws:ecs:<region>:<aws_account_id>:container-instance/<container_instance_UUID>" ] } }, "Resource": [ "arn:aws:ecs:<region>:<aws_account_id>:task-definition/<task_family>:*" ] } ] }

列出并描述任务

以下 IAM 策略可让用户列出指定集群的任务:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ListTasks" ], "Condition": { "ArnEquals": { "ecs:cluster": "arn:aws:ecs:<region>:<aws_account_id>:cluster/<cluster_name>" } }, "Resource": [ "*" ] } ] }

以下 IAM 策略可让用户描述指定集群中的指定任务:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeTask" ], "Condition": { "ArnEquals": { "ecs:cluster": "arn:aws:ecs:<region>:<aws_account_id>:cluster/<cluster_name>" } }, "Resource": [ "arn:aws:ecs:<region>:<aws_account_id>:task/<task_UUID>" ] } ] }

创建服务

以下 IAM 策略可让用户在 AWS 管理控制台中创建 Amazon ECS 服务:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:Describe*", "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "ecs:List*", "ecs:Describe*", "ecs:CreateService", "elasticloadbalancing:Describe*", "iam:AttachRolePolicy", "iam:CreateRole", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:ListRoles", "iam:ListGroups", "iam:ListUsers" ], "Resource": [ "*" ] } ] }

更新服务

以下 IAM 策略可让用户在 AWS 管理控制台中更新 Amazon ECS 服务:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:Describe*", "application-autoscaling:PutScalingPolicy", "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:RegisterScalableTarget", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm", "ecs:List*", "ecs:Describe*", "ecs:UpdateService", "iam:AttachRolePolicy", "iam:CreateRole", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:ListRoles", "iam:ListGroups", "iam:ListUsers" ], "Resource": [ "*" ] } ] }