【以下的问题经过翻译处理】 我已经部署了一个ECS Fargate 服务, 并且启用了 execute-command。当我执行 aws ecs execute-command
时,出现以下错误:
Encountered error while initiating handshake. Fetching data key failed: Unable to retrieve data key, Error when decrypting data key AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
通过添加 IAM permissions 可以修复上述报错
"Action": "kms:Decrypt",
"Effect": "Allow",
"Resource": "arn:aws:kms:us-east-2:1234567890:*",
"Sid": "AllowDecryptData"
之后,我又收到以下错误
We couldn't start the session because encryption is not set up on the selected CloudWatch Logs log group. Either encrypt the log group or choose an option to enable logging without encryption.
奇怪的是,在会话管理器首选项中,所有选项都设置为“关闭”。启用 CloudWatch 日志记录和禁用加密并没有什么改变。
任务角色具有以下权限:
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams"
],
"Resource": "*"
}
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ssmmessages:OpenDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:CreateControlChannel"
],
"Resource": "*"
}
{
"Action": "kms:Decrypt",
"Effect": "Allow",
"Resource": "arn:aws:kms:us-east-2:1234567890:*",
"Sid": "AllowDecryptData"
}
此外,角色还附加了“AmazonSSMManagedInstanceCore”策略
任务执行角色有
{
"Sid": "",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
],
"Resource": "*"
}
此外,角色还附加了“AmazonSSMManagedInstanceCore”策略
还有什么漏掉的么?