Reputation: 581
AWS ECS Docker Container Boto3 IAM Permissions
I am attempting to run a boto3 python script inside a docker container using AWS ECS. My script need access to SQS ( get & delete messages ) and Lambda ( permission to search and run ).
In order to get the docker container running on my local machine I was able to pass my aws credentials into the docker container using the following docker run command.
docker run -v ~/.aws:/root/.aws
Recently ECS has announced:
Amazon ECS now supports IAM roles for tasks. When you specify an IAM role for a task, its containers can then use the latest versions of the AWS CLI or SDKs to make API requests to authorized AWS services. Learn More
I attach a task IAM role to the task but upon running the task I get the following error:
Unable to run task
ECS was unable to assume the role that was provided for this task. Please verify that the role being passed has the proper trust relationship and permissions and that your IAM user has permissions to pass this role.
Any ideas would be appreciated.
Upvotes: 13
Views: 9332
Answers (2)
Reputation: 2136
It looks like IAM Task Roles are now supported in Boto, but regardless, that would be an issue when the Boto client was trying to make a request, not when trying to launch a task.
The issue here is defined in the error message. Either:
1) Your user does not have the iam:PassRole permission defined for the task role. This can be added by editing your user's policy to have a statement similar to the following:
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::<account>:role/<role name>"
}
2) The Task role you are trying to assign to the task does not have the proper trust relationship. Add the following trust policy to the ECS task role to make sure that it can be assumed by the task.
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Upvotes: 19
Reputation: 383
Boto3 uses the botocore library for its API functions, and it allows a range of botocore versions for each Boto3 version, so even if you have the latest Boto3 version, you may not have the latest botocore.
Botocore supports ECS IAM roles for tasks as of version 1.4.37, so if you update the underlying botocore in your environment to at least that version, you should be able to use the ECS IAM roles for tasks feature.
Upvotes: 4
Related Questions
- AWS boto3 user vs role
- Access Denied using boto3 through aws Lambda
- IAM Permissions Errors When Using boto3 for AWS Comprehend
- AWS boto3 InvalidAccessKeyId when using IAM role
- AWS Boto3 No Credential Error IAM role K8S
- Boto3 ignores AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
- Boto is unable to access bucket inside ECS container which have correct IAM roles (but Boto3 can)
- Access denied when assuming role as IAM user via boto3
- Unauthorized operation error occurs when using Boto3 to launch an EC2 instance with an IAM role
- boto issue with IAM role