Amazon EC2 Container Service
开发人员指南 (API Version 2014-11-13)
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。点 击 Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

Amazon ECS 托管策略

Amazon ECS 提供了一些托管策略,您可以将它们附加到 IAM 用户或 EC2 实例,以实现对 Amazon ECS 资源和 API 操作的不同级别的控制。您可以直接应用这些策略,或者也可以使用它们作为自行创建策略的起点。有关这些策略中提到的每个 API 操作的更多信息,请参阅 Amazon EC2 Container Service API Reference中的操作

AmazonEC2ContainerServiceFullAccess

此策略授予对 Amazon ECS 的完全管理员访问权限。

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:Describe*", "autoscaling:UpdateAutoScalingGroup", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStack*", "cloudformation:UpdateStack", "cloudwatch:GetMetricStatistics", "ec2:Describe*", "elasticloadbalancing:*", "ecs:*", "events:DescribeRule", "events:DeleteRule", "events:ListRuleNamesByTarget", "events:ListTargetsByRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "iam:ListInstanceProfiles", "iam:ListRoles", "iam:PassRole" ], "Resource": "*" } ] }

AmazonEC2ContainerServiceforEC2Role

此策略允许 Amazon ECS 容器实例代表您调用 AWS。有关更多信息,请参阅Amazon ECS 容器实例 IAM 角色

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:CreateCluster", "ecs:DeregisterContainerInstance", "ecs:DiscoverPollEndpoint", "ecs:Poll", "ecs:RegisterContainerInstance", "ecs:StartTelemetrySession", "ecs:Submit*", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] }

AmazonEC2ContainerServiceRole

此策略允许 Elastic Load Balancing 负载均衡器代表您注册和取消注册 Amazon ECS 容器实例。有关更多信息,请参阅Amazon ECS 服务计划程序 IAM 角色

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:Describe*", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:Describe*", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets" ], "Resource": "*" } ] }

AmazonEC2ContainerServiceAutoscaleRole

此策略允许 Application Auto Scaling 代表您增加和减少您的 Amazon ECS 服务的预期数量以响应 CloudWatch 警报。有关更多信息,请参阅Amazon ECS 服务 Auto Scaling IAM 角色

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1456535218000", "Effect": "Allow", "Action": [ "ecs:DescribeServices", "ecs:UpdateService" ], "Resource": [ "*" ] }, { "Sid": "Stmt1456535243000", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": [ "*" ] } ] }

AmazonEC2ContainerServiceTaskRole

此策略允许您的 Amazon ECS 任务中的容器代表您调用 AWS API。有关更多信息,请参阅Amazon EC2 Container Service Task Role

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

AmazonEC2ContainerServiceEventsRole

该策略允许 CloudWatch Events 代表您运行任务。有关更多信息,请参阅 排定的任务 (cron)

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask" ], "Resource": [ "*" ] } ] }