亚马逊 ECS/Amazon Fargate - Amazon Step Functions
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

亚马逊 ECS/Amazon Fargate

这些示例模板显示了如何根据状态机定义中的资源Amazon Step Functions生成 IAM 策略。有关更多信息,请参阅:

由于直到提交任务才知道的TaskId值,因此 Step Functions 会创建更具权限的"Resource": "*"策略。

注意

尽管有 IA"*" M 政策,但您只能停止由 Step Functions 启动的Elastic Container Service (Amazon ECS) 任务。

Run a Job (.sync)

静态资源

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask" ], "Resource": [ "arn:aws:ecs:[[region]]: [[accountId]]:task-definition/[[taskDefinition]]" ] }, { "Effect": "Allow", "Action": [ "ecs:StopTask", "ecs:DescribeTasks" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:[[region]]: [[accountId]]:rule/StepFunctionsGetEventsForECSTaskRule" ] } ] }

动态资源

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask", "ecs:StopTask", "ecs:DescribeTasks" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:[[region]]: [[accountId]]:rule/StepFunctionsGetEventsForECSTaskRule" ] } ] }
Request Response and Callback (.waitForTaskToken)

静态资源

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask" ], "Resource": [ "arn:aws:ecs:[[region]]: [[accountId]]:task-definition/[[taskDefinition]]" ] } ] }

动态资源

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask" ], "Resource": "*" } ] }

如果计划的 Amazon ECS 任务需要使用任务执行角色、任务角色或任务角色覆盖,则必须将每个任务执行角色、任务角色或任务角色覆盖的iam:PassRole权限添加到调用实体的 Ev CloudWatch ents IAM Step Functions。