Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅
中国的 Amazon Web Services 服务入门
(PDF)。
本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon ECS/Amazon Fargate
这些示例模板显示了如何根据状态机定义中的资源 Amazon Step Functions 生成 IAM 策略。有关更多信息,请参阅:
由于在提交任务之前 TaskId
的值始终是未知的,因此 Step Functions 会创建具有更高特权的 "Resource": "*"
策略。
尽管有 "*"
IAM 策略,但您只能停止由 Step Functions 启动的 Amazon Elastic Container Service (Amazon ECS) 任务。
- Run a Job (.sync)
-
静态资源
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"Resource": [
"arn:aws:ecs:[[region]]
:
[[accountId]]
:task-definition/[[taskDefinition]]
"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:StopTask",
"ecs:DescribeTasks"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:[[region]]
:
[[accountId]]
:rule/StepFunctionsGetEventsForECSTaskRule"
]
}
]
}
动态资源
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask",
"ecs:StopTask",
"ecs:DescribeTasks"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:[[region]]
:
[[accountId]]
:rule/StepFunctionsGetEventsForECSTaskRule"
]
}
]
}
- Request Response and Callback (.waitForTaskToken)
-
静态资源
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"Resource": [
"arn:aws:ecs:[[region]]
:
[[accountId]]
:task-definition/[[taskDefinition]]
"
]
}
]
}
动态资源
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"Resource": "*"
}
]
}
如果您计划的 Amazon ECS 任务需要使用任务执行角色、任务角色或任务角色覆盖,则必须将每个任务执行角色、任务角色或任务角色覆盖的iam:PassRole
权限添加到调用实体的 Ev CloudWatch ents IAM 角色(在本例中为 Step Functions)中。