Reputation: 486
ECS Fargate task unable to access s3 in another account
I have a scheduled ECS Fargate task running in my "AccountA". The task needs to access a s3 bucket located in another aws account "AccountB".
The ECS task in the AccountA assumes a role "AccountA_ECSTaskRole". I have created a role "AccountB_S3AccessBucketRole" in the AccountB to allow the IAM role "AccountA_ECSTaskRole" to access the S3 bucket in AccountB.
The AccountB_S3AccessBucketRole policy is as follow :
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME/*"
}
]
}
And the assume role policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "AccountA_ECSTaskRole_ARN"
}
}
]
}
My task is a docker container running aws s3 cp myfiletocopy s3://ACCOUNTB_BUCKET_NAME/.
I specified the taskRoleArn in the task definition as AccountA_ECSTaskRole_ARN. The AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable seems to correctly be set by the ECS agent in my container since I can echo it.
Still I'm getting: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
Upvotes: 3
Views: 5116
Answers (3)
Reputation: 21
Above steps works fine but I had to make few more changes to make it work.
Verify if S3 bucket is enabled to perform encryption if yes ensure to provide permissions to access KMS (CMK) operations.
Example: In the account (where S3 bucket is created): add permissions on the S3 bucket's CMK key with following permissions.
{
"Sid": "Allow an external account to use the CMK",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111211111111:role/ecs-task-execution-role", ((if use role))
"arn:aws:iam::111211111111:user/User". ((if use user))
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
In the account where ECS is deployed (account where service deployed requiring access to S3).
add permissions in the role:
{
"Sid": "AllowUseOfCMKInS3Account22123222222",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-east-1:22123222222:key/1234abcd-12ab-34cd-12ef-1234567890de"
}
Upvotes: 2
Reputation: 486
I made it work by setting a bucket policy for ACCOUNTB_BUCKET_NAME and not a role, as follow:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Principal": {
"AWS": "AccountA_ECSTaskRole_ARN"
},
"Effect": "Allow",
"Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "AccountA_ECSTaskRole_ARN"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME/*"
}
]
}
And setting the AccountA_ECSTaskRole to access the ACCOUNTB_BUCKET_NAME:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME/*"
}
]
}
Upvotes: 0
Reputation: 359
From this steps, I see you are missing the "Resource" property for the sts:AssumeRole action.
Upvotes: 1
Related Questions
- ECS Fargate task unabke to write to an S3 bucket in the same account
- Unable to access EFS from ECS Fargate task
- Unable to get IAM security credentials in ECS task
- ECS Task Denied access to S3 ENV file
- Accessing EFS file system from Fargate ECS task - Not working without any kind of error message
- ECS Fargate task not applying role
- AWS ECS Fargate not creating task AmazonECSTaskExecutionRole error
- How to access an S3 object from a remotely executed fargate task?
- How to give a Fargate Task the right permissions to upload to S3
- ECS Task Access Denied to S3