CODEWITHSUNDEEP
node.jsdockeramazon-s3amazon-ecsaws-fargate
Anzhari
Anzhari

Reputation: 47

Dockerized NodeJS in Fargate can't generate a working AWS pre-signed URL

I have a dockerized NodeJS application, and I put the image in AWS ECR. It is working well running on my local environment with docker-compose, I can generate a pre-signed PUT URL. The pre-signed URL also works, I can upload object into it. I tried to run the same ECR image with ECS Fargate, however I can't PUT the object into the generated pre-signed URL. I get an access denied error.

Edit: I suspect the issue comes from IAM Role and Permission. I build the ECS Fargate infrastructure through CloudFormation, but it seems the role is properly set-up:

ECSTaskExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${ContainerName}-ECSTaskExecutionRolePolicy"
      Path: /
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service: ecs-tasks.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
      Policies:
        - PolicyName: root
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Resource:
                  - !Ref DBHostSSMARN
                  - !Ref DBPortSSMARN
                  - !Ref DBUsernameSSMARN
                  - !Ref DBPasswordSSMARN
                Effect: Allow
                Action:
                  - "ssm:GetParameters"
                  - "secretsmanager:GetSecretValue"
                  - "kms:Decrypt"
              - Resource: "*"
                Effect: Allow
                Action:
                  - cloudwatch:*
                  - ecr:GetDownloadUrlForLayer
                  - ecr:BatchGetImage
                  - ecr:BatchCheckLayerAvailability
              - Resource:
                  - !Sub arn:aws:s3:::${VideoRepoName}
                  - !Sub arn:aws:s3:::${VideoRepoName}/*
                Effect: Allow
                Action:
                  - s3:*

Upvotes: 0

Views: 392

Answers (1)

Anzhari
Anzhari

Reputation: 47

I've assigned the S3 permission to a wrong role. I am supposed to give the S3 permission to the Task Role, not the Task Execution Role.

Upvotes: 1

Related Questions