Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门。本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon ECS/Amazon Fargate
这些示例模板显示了如何Amazon Step Functions将根据您的状态机定义中的资源生成 IAM 策略。有关更多信息,请参阅:
因为的价值TaskId在提交任务之前不知,Step Functions 会创建一个更具特权的特权"Resource": "*"政策。
您仍可以停止 Step Functions 启动的 Amazon Elastic Container Service (Amazon ECS) 任务,尽管采用了"*"IAM 策略。
- Run a Job (.sync)
-
静态资源
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"Resource": [
"arn:aws:ecs:[[region]]:
[[accountId]]:task-definition/[[taskDefinition]]"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:StopTask",
"ecs:DescribeTasks"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:[[region]]:
[[accountId]]:rule/StepFunctionsGetEventsForECSTaskRule"
]
}
]
}
动态资源
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask",
"ecs:StopTask",
"ecs:DescribeTasks"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:[[region]]:
[[accountId]]:rule/StepFunctionsGetEventsForECSTaskRule"
]
}
]
}
- Request Response and Callback (.waitForTaskToken)
-
静态资源
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"Resource": [
"arn:aws:ecs:[[region]]:
[[accountId]]:task-definition/[[taskDefinition]]"
]
}
]
}
动态资源
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"Resource": "*"
}
]
}