CODEWITHSUNDEEP
amazon-web-servicesamazon-iamamazon-ecsaws-fargate
MGJ-123
MGJ-123

Reputation: 634

How to give a Fargate Task the right permissions to upload to S3

I want to upload to S3 from a Fargate task. Can this be achieved by only specifying a ExecutionRoleArn as opposed to specifying a both a ExecutionRoleArn and a TaskRoleArn?

If I specify a ExecutionRoleArn that has the following Permission Policies attached:

Custom policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::example_bucket/*"
        }
    ]
}

AmazonECSTaskExecutionRolePolicy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

With the following trust relationship:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "events.amazonaws.com",
          "lambda.amazonaws.com",
          "ecs-tasks.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Would this be sufficient to allow the task to upload to S3? Or do I need to define a TaskRoleArn?

Upvotes: 3

Views: 4479

Answers (3)

Adiii
Adiii

Reputation: 59906

In the case of Fargate, both IAM role pay different role

  • Execution Role

This is role is mandatory and you can not run the task without this role even if you add ExecuationRole policy in Task Role

To produce this error just set Execution role =None, you will not able to launch the task.

enter image description here

AWS Forums (Unable to create a new revision of Task Definition)

  • Task Role

This role is optional and you can add s3 related permission in this role,

Optional IAM role that tasks can use to make API requests to authorized AWS services.

Your police seems okay,

  • Create ecs_s3_upload_role
  • Add below policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::example_bucket/*"
        }
    ]
}

Now Fargate Task will able to upload to S3 bucket.

Upvotes: 1

Chris Williams
Chris Williams

Reputation: 35146

The ExecutionRoleArn is used by the service to setup the task correctly, this includes pulling any images down from ECR.

The TaskRoleArn is used by the task to give it the permissions it needs to interact with other AWS Services (such as S3).

Technically both Arns could be the same, however I would suggest separating them to be different roles to avoid confusion over the permissions required for both of the scenarios the role is used for.

Additionally you should have the endpoint for ecs.amazonaws.com. In fact the full list of services depending on how you're using ECS are below (although most could be removed such as spot if you're not using spot, or autoscaling if you're not using autoscaling).

"ecs.amazonaws.com",
"ecs-tasks.amazonaws.com",
"spot.amazonaws.com",
"spotfleet.amazonaws.com",
"ecs.application-autoscaling.amazonaws.com",
"autoscaling.amazonaws.com"

Upvotes: 4

Marcin
Marcin

Reputation: 238081

Your policies don't include any s3 related permissions. Thus you should define your s3 permissions in a task role:

With IAM roles for Amazon ECS tasks, you can specify an IAM role that can be used by the containers in a task.

Upvotes: 0

Related Questions