无法使用 GitHub 操作 CI 将 ECS 中的任务定义注册到 AWS Fargate

Failed to register task definition in ECS with GitHub Actions CI to AWS Fargate

我正在为 AWS Fargate 设置 Github 操作 CI。但是在 Deploy Amazon ECS 任务定义步骤遇到权限问题。

出现以下错误:

Error: Failed to register task definition in ECS: User: arn:aws:iam::***:user/username is not authorized to perform: iam:PassRole on resource: arn:aws:iam::***:role/ecsTaskExecutionRole with an explicit deny
Error: User: arn:aws:iam::***:user/username is not authorized to perform: iam:PassRole on resource: arn:aws:iam::***:role/ecsTaskExecutionRole with an explicit deny

我已将以下权限添加到特定 IAM 用户 arn:aws:iam::***:user/username。但是还是不行

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecs:RegisterTaskDefinition",
                "ecs:ListTaskDefinitions",
                "ecs:DescribeTaskDefinition"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::***:role/ecsTaskExecutionRole"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::***:role/ecsTaskExecutionRole"
        }
    ]
}

可能的原因是其他地方的某些政策明确拒绝您这样做。

错误消息以“with an explicit deny”结尾,暗示:

Remember, an explicit deny in any of these policies overrides the allow.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

您应该在 AWS 中查找阻止此授权的政策,您的政策本身可能是正确的。