AWS Fargate task error - ResourceInitializationError: failed to download env files: failed to write to temporary file: AccessDenied

Question

I am trying to access ".env" file stored in S3 bucket from Fargate ECS tasks using the Environment Files configuration (S3 ARN) under Container Definition.

But ECS task is failing with Stopped Reason - "ResourceInitializationError: failed to download env files: file download command: non-empty error stream: failed to download file configs-staging-1.env: failed to write to a temporary file: AccessDenied: Access Denied ..."

I have a Task role attached to my Fargate task definition as below:-

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::app-configs"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::app-configs/*"
        }
    ]
}

and also bucket policy is set

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789:role/ecsS3AccessTaskRole"
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::app-configs"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789:role/ecsS3AccessTaskRole"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::app-configs/*"
        }
    ]
}

What permission am I missing here?

Answer 1

Sometimes i have experiencing this issues when i trigger force deployment. But after 2-3 try fargate can deploy clusters.

There is no network issues or permissions issue.

Answer 2

AWS Fargate task error - ResourceInitializationError: failed to download env files: failed to write to temporary file: AccessDenied - As someone suggested in a comment. Turn Public IP in networking while creating the service inside the ECS Cluster.

I would ask to link that comment as well.

Answer 3

I discovered the underlying issue and the reason why Arne Claassen's solution works. Simply setting the "assignPublicIp" to "ENABLED" resolved the problem for me. However, this solution is not ideal as it potentially exposes your service to regular attempts of vulnerability exploitation by malicious actors, who often scan public IP addresses.

To avoid exposing a public IP address while ensuring successful access to S3 environment files, I recommend the following approach:

During your service creation, ensure you select at least two subnets. Instead of opting for public subnets (which necessitate a public IP for communication), choose private subnets for your service. This method allows you to maintain your service's IP addresses private, necessitating access through a domain name and mitigating direct attacks on your service's IP address.

Answer 4

Apparently you need:

"networkConfiguration": {
   "assignPublicIp": "ENABLED"
   ...
}

I varied every other networkConfiguration parameter, but in the end it was the public IP being disabled that caused this error.

Answer 5

According to AWS documentation(https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html) You need to attach policies to the ecsTaskExecutionRole IAM. (You don't need to add permission to S3 bucket)