Reputation: 2125
AWS cli within task/container uses instance role policy and not task role
If I use the aws cli from within a container on ECS then it appears that the IAM policy attached to the ECS instance role applies as it should but the task role IAM policy isn't used at all.
Scenario:
aws s3 cp local/file s3://remotebucket
s3 PutObject policy attached to task role, not instance role - access denied
s3 PutObject policy attached to instance role, not task role - success
My understanding of IAM in tasks is that the container inherits the instance role, but also includes the policies from the task role? How can I get the first scenario to work? http://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
Upvotes: 2
Views: 1568
Answers (1)
Reputation: 2267
After banging my head around on this for a day, it turns out the issue is caused by an out of date AWS CLI. http://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html#task-iam-roles-minimum-sdk
In my case I was installing aws-cli with apt-get install aws-cli which installs version 1.4.2. This version does not handle the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable needed to get the correct IAM. So it defaults to getting the instance's IAM.
The solution was to install the AWS CLI through pip or the bundled installation to ensure I had the latest version. The same will apply for the AWS SDKs - required versions are described in the link above.
Upvotes: 4
Related Questions
- Task definition in ECS unable to pull docker image from different AWS account
- AWS CLI not listing policies attached to role
- Container instance IAM role vs Task execution role
- aws cli fails to return a role policy
- The container does not exist in the task definition
- How to run AWS ECS Task overriding environment variables
- aws ecs run ecs task with container overrides
- ECS task. How to use AWS CLI within container
- AWS Role being assumed not being used for future CLI Commands
- ECS: TaskExecutionRole for container