Reputation: 1465
IAM Error while using ecs-cli
I'm trying to create a new Task for ECS using a compose file, but i'm getting an AccessDeniedException even when my user has the required permissions.
$ ecs-cli compose --project-name test create
WARN[0000] Skipping unsupported YAML option for service... option name=build service name=builder
WARN[0000] Skipping unsupported YAML option for service... option name=restart service name=db
WARN[0000] Skipping unsupported YAML option for service... option name=restart service name=dbadmin
WARN[0000] Skipping unsupported YAML option for service... option name=restart service name=app
ERRO[0001] Error registering task definition error=AccessDeniedException: User: arn:aws:iam::XXXXXXX:user/foo is not authorized to perform: ecs:RegisterTaskDefinition on resource: *
status code: 400, request id: 41e6b69a-a839-11e6-84b0-e9bc2ec3f81b family=ecscompose-test
ERRO[0001] Create task definition failed error=AccessDeniedException: User: arn:aws:iam::XXXXXXX:user/foo is not authorized to perform: ecs:RegisterTaskDefinition on resource: *
status code: 400, request id: 41e6b69a-a839-11e6-84b0-e9bc2ec3f81b
FATA[0001] AccessDeniedException: User: arn:aws:iam::XXXXXXX:user/foo is not authorized to perform: ecs:RegisterTaskDefinition on resource: *
status code: 400, request id: 41e6b69a-a839-11e6-84b0-e9bc2ec3f81b
The user have this policy attached:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RegisterTaskDefinition",
"ecs:ListTaskDefinitions",
"ecs:DescribeTaskDefinition"
],
"Resource": [
"*"
]
}
]
}
I also tried attaching the AmazonEC2ContainerServiceFullAccess (that have ecs:*), but didn't work.
Upvotes: 5
Views: 2027
Answers (3)
Reputation: 1465
Found the problem, the user i was using had a policy to use MFA (MultiFactor Auth), that is not supported by the ecs-cli.
Upvotes: 2
Reputation: 2136
ECS does not support a big chunk of the compose settings. However, it should just print warnings and ignore them, which will produce unintended results, but should not be throwing permission issues.
When you see 400 AccessDeniedExceptions that are in the form of "user_arn not authorized to perform service:action on service_resource" it is definitely an IAM issue. However, the IAM policy you listed looks correct. My thinking is that you are somehow not using the correct user credentials, or that the IAM policy is not applied correctly to the user.
Upvotes: 0
Reputation: 23
I believe this posting has some answers as to why the above error is happening, thought not a fix.
Trouble deploying docker on AWS with ecs-cli
"From what I understand, ecs-cli has a very limited support of the complete Docker Compose file syntax"
per user Dolan Antenucci
Note the warnings "WARN[0000] Skipping unsupported YAML option for service..."
Upvotes: 0
Related Questions
- AWS ECS Error when running task: No Container Instances were found in your cluster
- Docker compose to AWS ECS fails at the end
- Essential container in task exited
- ECS CLI key pair error when calling up
- The container does not exist in the task definition
- Docker compose on ecr: ERROR: No such service: --build-arg
- ECS invalid reference format error
- No Container Instances were found in your cluster
- Trouble deploying docker on AWS with ecs-cli
- ecs-cli docker compose version