CODEWITHSUNDEEP
amazon-web-servicesterraformterraform-provider-awsaws-batch
James Adams
James Adams

Reputation: 8737

How to set proper IAM role(s) for an AWS Batch job?

I have a job that, after submission to the Batch service, goes from RUNNABLE to FAILED state, with the following job status error message (from AWS Console):

ECS was unable to assume the role 'arn:aws:iam::347134692569:role/my-custom-role' that was provided for this task. Please verify that the role being passed has the proper trust relationship and permissions and that your IAM user has permissions to pass this role.

The role referenced above is managed with Terraform, with two policy attachments (AWSBatchServiceRole and AmazonEC2ContainerServiceforEC2Role) like so:

resource "aws_iam_role" "batch" {
  name               = "my-custom-role"
  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement":
    [
      {
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Principal": {
            "Service": "batch.amazonaws.com"
          }
      },
      {
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Principal": {
            "Service": "ec2.amazonaws.com"
          }
      },
      {
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Principal": {
            "Service": "ecs.amazonaws.com"
          }
      }
    ]
}
EOF
  tags = {
    Terraform = "true"
  }
}

# attach a policy to the role that allows using AWS Batch service
resource "aws_iam_role_policy_attachment" "batch_service_role" {
  role       = data.aws_iam_role.batch.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole"
}

# attach a policy to the role that allows using AWS Elastic Container service
resource "aws_iam_role_policy_attachment" "elastic_container_service_role" {
  role       = aws_iam_role.batch.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role"
}

The above role is used as the compute environment's service role as well as the job role for job definition.

It seems that the above doesn't provide sufficient permission to enable assuming the role and/or necessary trust relationship(s). What else can I try to get past this error?

Upvotes: 4

Views: 6087

Answers (1)

Marcin
Marcin

Reputation: 238189

Based on the comments, the issue was solved by adding ecs-tasks.amazonaws.com as a principle for AssumeRole.

Seems that same permissions were required as those for ECS task execution role and the task:

Upvotes: 8

Related Questions