2 回答
- 最新
- 投票最多
- 评论最多
0
Usually you associate an IAM role to the service, have you tried that as the principal?
0
have you tried using a condition as follows? replacing Role name with the ECS Task Role?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow-access-to-specific-IAM-role",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": ["arn:aws:s3:::prod-region-starport-layer-bucket/*"],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": "arn:aws:iam::111122223333:role/role_name"
}
}
}
]
}
I just tried to modify it as you suggested, and it doesn't work, neither by setting the ExecutionRoleArn of the service nor with the TaskRoleArn of the task.
相关内容
- AWS 官方已更新 1 年前
Yes I've done it, I've tried both putting the role with which the ECS service runs, and I've also tried with the role with which the tasks run. Neither of these two things as the principal works; the tasks are not able to pull the image.
added new answer after reading the S3 gateway docs.. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html