使用DynamoDB进行会话状态处理的问题(FARGATE/ECS).NET ASP WEB应用程序 - 角色身份验证
我正在将.NET Framework Web应用程序迁移到AWS,然后切换到容器。这是古老的技术,但是我们正在迈向现代化平台的措施。对于步骤,正在引入更好的InfraCode,CI/CD自动化和弹性/HA,因此移至Terraform驱动的IAC和负载平衡的容器化是很有意义的。
要解决的第一件事是,当我们将Web门户网站(.NET ASP)放在ALB负载平衡器后面时,会话状态开始失败。我认为使用默认的“内存”状态并打开会话粘性是一个次优路径(无论如何它都无法进行简短的尝试),因此我们跳入尝试使用DynamoDB来管理状态。
我们正在遵循本指南:
ECS任务角色已定义为访问的权利DynamoDB表已通过预期的默认表名称预先创建。
加载时,该站点未能加载web.config中的配置。
“无法从EC2实例元数据服务中获得IAM安全凭据。”
我研究了AWS SDK如何尝试进行身份验证,它如何通过寻找本地的AWS配置文件和键(包括key的ENK VARS)循环循环。和秘密访问密钥,看起来应该寻找ECS任务角色,然后在下面的页面中找到一个EC2角色(实例配置文件)
。 href =“ https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/creds-assign.html” rel =“ nofollow noreferrer”> https://dtps:///docs.aws.amazon。 com/sdk-for-net/v3/developer-guide/creds-assign.html
我们不会在生产中使用密钥的路径,因此AWSPROFILE和PROFILEPATH配置不会添加到我们的Web.config部分
<sessionState timeout="10" mode="Custom" customProvider="DynamoDBSessionStoreProvider" xdt:Transform="Replace">
<providers>
<add name="DynamoDBSessionStoreProvider"
type="Amazon.SessionProvider.DynamoDBSessionStateStore"
Region="ap-southeast-2" />
</providers>
</sessionState>
。 相同的元数据服务?
使用 角色?有人看过这个错误吗?如果有人有任何见解,我真的很高兴听到他们的声音!
谢谢你!
I'm migrating a .NET Framework web app to AWS, and switching to containers. It's old tech, but we're taking baby steps towards modernizing the platform. For step is introducing better InfraCode, CI/CD automation, and resilience/HA, so moving to Terraform driven IaC and containerization with load balancing makes a lot of sense.
First thing to tackle is that session state started failing the moment we put our web portal (.NET ASP) behind an ALB load balancer. I figure using the default 'in memory' state and turning on session stickiness is a suboptimal path to go down (and it wasn't working with a brief attempt anyway) so we've jumped into trying to use DynamoDB for managing state.
We're following this guide:
https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/dynamodb-session-net-sdk.html
The ECS Task role has the rights defined for accessing the DynamoDB table, which has been pre-created with the expected default table name.
The site failed to load complaining about the configuration in web.config when it loads up.
" Unable to get IAM security credentials from EC2 Instance Metadata Service. "
I looked into how the AWS SDK for .NET tries to authenticate, how it cycles through options starting off with looking for a local AWS Profile and Keys (including env vars for key and secret access key, and it looks like it should look for an ECS Task role, and then a EC2 Role (instance profile). Steps 7/8 in the page below:
https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/creds-assign.html
We're not going to go down the path of using keys in production, so the AWSProfile and ProfilePath config are not added to the provider config. Our web.config section looks like this:
<sessionState timeout="10" mode="Custom" customProvider="DynamoDBSessionStoreProvider" xdt:Transform="Replace">
<providers>
<add name="DynamoDBSessionStoreProvider"
type="Amazon.SessionProvider.DynamoDBSessionStateStore"
Region="ap-southeast-2" />
</providers>
</sessionState>
My error talks about the EC2 metadata service instead of ECS (do they use the same metadata service??) - could this just be that the ECS task can't reach the meta data service to find the role to use?
Does anyone have experience of using this provider in Windows containers with an ECS role? Has anyone seen this error? If anyone out there has any insights I'd be really grateful to hear them!
Thank you!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论