AWS CDK:用于Fargate服务的Dynamo Db访问

时间:2020-05-29 13:12:36

标签: amazon-web-services permissions amazon-dynamodb aws-cdk

我(AWS新手)正在玩AWS CDK。 我想构建一个以dynamodb作为数据库,在fargate中运行的简单Spring服务。 似乎我的服务由于缺少某些权限而无法访问发电机。 在Cloudwatch日志中,我看到以下错误消息:

com.amazonaws.services.dynamodbv2.model.AmazonDynamoDBException: User: arn:aws:sts::xxxxxxxxxx:assumed-role/MyCdkAppStack-TaskDefTaskRole1EDB4A67-xxxxxxxx/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx is not authorized to perform: dynamodb:UpdateItem on resource: arn:aws:dynamodb:eu-central-1:xxxxxxxxxxx:table/MyDynamoDbTable (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: XXXXX)

对于表的权限,我认为应该将足够的权限授予fargate服务的任务角色:

props.dependencies.dynamoDb.grantReadWriteData(taskDefinition.taskRole);

在AWS控制台中,权限似乎应该存在:当我转到相应的任务时,相应的角色似乎拥有所有权限。

虽然它不起作用,所以很明显我丢失了某些东西或做错了什么。 关于如何在cdk应用程序中将Fargate服务与dynamo db表连接的任何提示?

谢谢,一些技巧将不胜感激:)

编辑:对不起,延迟... 堆栈:

export class MyCdkAppStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props: MyCdkAppStackProps) {
    super(scope, id, props);

    const appId = 'myService';

    const table = new Table(this, 'MyDynamoDbTable', {
        tableName: 'MyDynamoDbTable',
        partitionKey: {name: 'Id', type: AttributeType.STRING},
        billingMode: BillingMode.PAY_PER_REQUEST,
        removalPolicy: RemovalPolicy.DESTROY
    });

    let logDriver = new AwsLogDriver({
        logRetention: RetentionDays.ONE_WEEK,
        streamPrefix: "test-stream-prefix",
    });

    const vpc = new Vpc(this, 'cdk-my-vpc', {maxAzs: 2});

    new cdk.CfnOutput(this, "MyVpc", {value: vpc.vpcId});

    const cluster = new Cluster(this, "MyCluster", {
        vpc: vpc,
        clusterName: appId
    });

    const appImage = ContainerImage.fromEcrRepository(props.dependencies.appRepo, 'latest');

    const applicationLoadBalancedFargateService = new ApplicationLoadBalancedFargateService(this, "FargateService", {
        cluster: cluster,
        taskImageOptions: {
            image: appImage,
            containerPort: 8080,
            logDriver: logDriver
        },
    });

    table.grantReadWriteData(applicationLoadBalancedFargateService.taskDefinition.taskRole);
}

}

cdk合成后的任务角色策略:

"FargateServiceTaskDefTaskRoleDefaultPolicy63F83D6F": {
  "Type": "AWS::IAM::Policy",
  "Properties": {
    "PolicyDocument": {
      "Statement": [
        {
          "Action": [
            "dynamodb:BatchGetItem",
            "dynamodb:GetRecords",
            "dynamodb:GetShardIterator",
            "dynamodb:Query",
            "dynamodb:GetItem",
            "dynamodb:Scan",
            "dynamodb:BatchWriteItem",
            "dynamodb:PutItem",
            "dynamodb:UpdateItem",
            "dynamodb:DeleteItem"
          ],
          "Effect": "Allow",
          "Resource": [
            {
              "Fn::GetAtt": [
                "MyDynamoDbTableC81ED735",
                "Arn"
              ]
            },
            {
              "Ref": "AWS::NoValue"
            }
          ]
        }
      ],
      "Version": "2012-10-17"
    },
    "PolicyName": "FargateServiceTaskDefTaskRoleDefaultPolicy63F83D6F",
    "Roles": [
      {
        "Ref": "FargateServiceTaskDefTaskRole8CDCF85E"
      }
    ]
  }

0 个答案:

没有答案
相关问题
最新问题