Amazon Elastic Container Service
开发人员指南 (API Version 2014-11-13)
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。请点击 Amazon AWS 入门,可查看中国地区的具体差异

Amazon ECS 托管策略和信任关系

Amazon ECS 提供了一些托管策略和信任关系,您可以将它们附加到 IAM 用户、EC2 实例或 Amazon ECS 任务,以实现对 Amazon ECS 资源和 API 操作的不同级别的控制。您可以直接应用这些策略,或者也可以使用它们作为自行创建策略的起点。有关这些策略中提到的每个 API 操作的更多信息,请参阅 Amazon Elastic Container Service API Reference中的操作

AmazonECS_FullAccess

此托管策略提供对 Amazon ECS 资源的管理访问权限,并通过对其他 AWS 服务资源的访问权限启用 ECS 功能,包括 VPC、Auto Scaling 组和 AWS CloudFormation 堆栈。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget", "autoscaling:UpdateAutoScalingGroup", "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateLaunchConfiguration", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeleteLaunchConfiguration", "autoscaling:Describe*", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStack*", "cloudformation:UpdateStack", "cloudwatch:DescribeAlarms", "cloudwatch:GetMetricStatistics", "cloudwatch:PutMetricAlarm", "ec2:AssociateRouteTable", "ec2:AttachInternetGateway", "ec2:AuthorizeSecurityGroupIngress", "ec2:CancelSpotFleetRequests", "ec2:CreateInternetGateway", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", "ec2:CreateVpc", "ec2:DeleteSubnet", "ec2:DeleteVpc", "ec2:Describe*", "ec2:DetachInternetGateway", "ec2:DisassociateRouteTable", "ec2:ModifySubnetAttribute", "ec2:ModifyVpcAttribute", "ec2:RequestSpotFleet", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateRule", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteRule", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTargetGroups", "ecs:*", "events:DescribeRule", "events:DeleteRule", "events:ListRuleNamesByTarget", "events:ListTargetsByRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfiles", "iam:ListRoles", "logs:CreateLogGroup", "logs:DescribeLogGroups", "logs:FilterLogEvents" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ec2:DeleteInternetGateway", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DeleteSecurityGroup" ], "Resource": [ "*" ], "Condition": { "StringLike": { "ec2:ResourceTag/aws:cloudformation:stack-name": "EC2ContainerService-*" } } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ "*" ], "Condition": { "StringLike": { "iam:PassedToService": "ecs-tasks.amazonaws.com" } } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/ecsInstanceRole*" ], "Condition": { "StringLike": { "iam:PassedToService": ["ec2.amazonaws.com", "ec2.amazonaws.com.cn"] } } }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/ecsAutoscaleRole*" ], "Condition": { "StringLike": { "iam:PassedToService": ["application-autoscaling.amazonaws.com", "application-autoscaling.amazonaws.com.cn"] } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": ["ecs.amazonaws.com", "spot.amazonaws.com", "spotfleet.amazonaws.com"] } } } ] }

AmazonEC2ContainerServiceFullAccess

此托管策略授予对 Amazon ECS 的完全管理员访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:Describe*", "autoscaling:UpdateAutoScalingGroup", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStack*", "cloudformation:UpdateStack", "cloudwatch:GetMetricStatistics", "ec2:Describe*", "elasticloadbalancing:*", "ecs:*", "events:DescribeRule", "events:DeleteRule", "events:ListRuleNamesByTarget", "events:ListTargetsByRule", "events:PutRule", "events:PutTargets", "events:RemoveTargets", "iam:ListInstanceProfiles", "iam:ListRoles", "iam:PassRole" ], "Resource": "*" } ] }

AmazonEC2ContainerServiceforEC2Role

此托管策略允许 Amazon ECS 容器实例代表您调用 AWS。有关更多信息,请参阅 Amazon ECS 容器实例 IAM 角色

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:CreateCluster", "ecs:DeregisterContainerInstance", "ecs:DiscoverPollEndpoint", "ecs:Poll", "ecs:RegisterContainerInstance", "ecs:StartTelemetrySession", "ecs:Submit*", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] }

AmazonEC2ContainerServiceRole

此托管策略允许 Elastic Load Balancing 负载均衡器代表您注册和取消注册 Amazon ECS 容器实例。有关更多信息,请参阅 Amazon ECS 服务计划程序 IAM 角色

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:Describe*", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:Describe*", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets" ], "Resource": "*" } ] }

AmazonEC2ContainerServiceAutoscaleRole

此托管策略允许 Application Auto Scaling 代表您增加和减少您的 Amazon ECS 服务的预期数量以响应 CloudWatch 警报。有关更多信息,请参阅 Amazon ECS 服务 Auto Scaling IAM 角色

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1456535218000", "Effect": "Allow", "Action": [ "ecs:DescribeServices", "ecs:UpdateService" ], "Resource": [ "*" ] }, { "Sid": "Stmt1456535243000", "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms" ], "Resource": [ "*" ] } ] }

AmazonEC2ContainerServiceTaskRole

此 IAM 信任关系策略允许您的 Amazon ECS 任务中的容器代表您调用 AWS API。有关更多信息,请参阅 Amazon EC2 Container Service Task Role

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

AmazonEC2ContainerServiceEventsRole

该策略允许 CloudWatch Events 代表您运行任务。有关更多信息,请参阅 排定的任务 (cron)

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask" ], "Resource": [ "*" ] } ] }