Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门。本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
亚马逊 ECS/Amazon Fargate
这些示例模板显示了如何根据状态机定义中的资源Amazon Step Functions生成 IAM 策略。有关更多信息,请参阅:
由于直到提交任务才知道的TaskId值,因此 Step Functions 会创建更具权限的"Resource": "*"策略。
尽管有 IA"*" M 政策,但您只能停止由 Step Functions 启动的Elastic Container Service (Amazon ECS) 任务。
- Run a Job (.sync)
-
静态资源
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"Resource": [
"arn:aws:ecs:[[region]]:
[[accountId]]:task-definition/[[taskDefinition]]"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:StopTask",
"ecs:DescribeTasks"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:[[region]]:
[[accountId]]:rule/StepFunctionsGetEventsForECSTaskRule"
]
}
]
}
动态资源
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask",
"ecs:StopTask",
"ecs:DescribeTasks"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:[[region]]:
[[accountId]]:rule/StepFunctionsGetEventsForECSTaskRule"
]
}
]
}
- Request Response and Callback (.waitForTaskToken)
-
静态资源
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"Resource": [
"arn:aws:ecs:[[region]]:
[[accountId]]:task-definition/[[taskDefinition]]"
]
}
]
}
动态资源
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"Resource": "*"
}
]
}
如果计划的 Amazon ECS 任务需要使用任务执行角色、任务角色或任务角色覆盖,则必须将每个任务执行角色、任务角色或任务角色覆盖的iam:PassRole权限添加到调用实体的 Ev CloudWatch ents IAM Step Functions。