I have an ECS task running a container that requires permissions from resources, that are all a part of a specific IAM role. I am trying to add that specific role to the task definition on the console, but the only role I see is the auto-generated one by ECS.
I don't see all the IAM role in the dropdown. How do I access them?
When creating a new role make sure you choose elastic container service task
Or
If you can edit the existing role, enter the trusted entity, and edit with the following
Related
I have a problem when creating a Role I am getting an error that says “Cannot attach a Service Role Policy to a Customer Role”
In fact, there is something called Customer Managed Role, which the above error seems to display as 'Customer Role'.
From AWS documentation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role)
A role that a service assumes to perform actions in your account on your behalf. When you set up some AWS service environments, you must define a role for the service to assume. This service role must include all the permissions required for the service to access the AWS resources that it needs.
Now if you create a role, which isn't a service role, and attach permissions yourself, it appears under what AWS shows as Customer Managed Role (Screenshot below). If you look carefully, the service roles in AWS show the AWS box icon and the Customer Managed ones don't.
Reason: I was facing the above error as well and the reason was that my Role had custom inlined policies attached. If a Role has custom attached policies (inlined), AWS doesn't let you attach the Service Roles to it. You can filter the roles and find out what's causing the issue.
I hope this is documented somewhere as I was scratching my head for quite some time on this.
I'm deploying a service to amazon ecs through docker. I need to assign an IAM role to the cluster that allows it to communicate with secrets manager, as that's where some of the important configuration comes from. However, when trying to select the iam role, I get this error message:
Error message
So I tried following the amazon documentation and going to the account settings tab signed in as the root account, only to find that the settings were already enabled by default. So now I'm sort of stuck as to what to do at this point. Is there something I'm missing here?
resources already enabled
From your screenshot what I understand is that the IAM role you are using to deploy the container does not have "ecsInstanceRole" in your IAM roles. You could use the following steps to create it.
Open the IAM console at https://console.aws.amazon.com/iam/
In the navigation pane, choose Roles and then choose Create role.
Choose the AWS service role type, and then choose Elastic Container Service.
Choose the EC2 Role for Elastic Container Service use case and then Next: Permissions.
In the Attached permissions policy section, select AmazonEC2ContainerServiceforEC2Role and then choose Next: Review.
Important
The AmazonEC2ContainerServiceforEC2Role managed policy should be attached to the container instance IAM role, otherwise you will receive an error using the AWS Management Console to create clusters.
For Role name, type ecsInstanceRole and optionally you can enter a description.
Review your role information and then choose Create role to finish.
or you can follow the below document:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html
I'm looking for an example of how to assume a role from within a running application within ECS.
I have a role setup, and I've added the roleARN to the task definition, using the setup here: https://docs.aws.amazon.com/en_us/AmazonECS/latest/developerguide/task-iam-roles.html
Can I then assume the role from the application logic as usual? Or is there something special required?
I have this setup working, but with a IAM User which has a Secret Key and Access Key used as credentials within my application. Would switching this auth to the assume role be possible with the setup above?
The AWS SDK and CLI will automatically handle using the credentials from the assigned IAM task role.
Note that when you specify an IAM role for a task, the AWS CLI or other SDKs in the containers for that task use the AWS credentials provided by the task role exclusively and they no longer inherit any IAM permissions from the container instance.
What difference between policies under the paths "aws:policy/service-role" and "aws:policy/aws-service-role"?
Is there any the logic behind this design?
The AWS managed policies within the aws-service-role path are policies that be attached to a service-linked role only.
If you go to AWS Console -> IAM -> Policies, filter by AWS Managed Polices and start clicking on them, you'll notice the ones with the aws-servive-role path have a help label at the top that reads "This policy is linked to a service and used only with a service-linked role for that service. You cannot attach, detach, modify, or delete this policy.". There might be a way to filter down to the service-linked policies in the AWS Console or CLI when desribing policies other than inspecting the paths, but it alludes me right now.
You can see their usage described here
https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html.
Here also is the blog post that describes what a service-linked role is https://aws.amazon.com/blogs/security/introducing-an-easier-way-to-delegate-permissions-to-aws-services-service-linked-roles/. Basically these are roles that can only be assumed by a specific service type.
The AWS managed policies in the service-role path are policies that can be attached to any role including "normal/basic" roles. These types of roles can be assumed by users, EC2 instances, or anywhere else roles are assumed.
For example you could give someone permission to attach a linked-service role that has the policy arn:aws:iam::aws:policy/aws-service-role/AWSLambdaReplicator attached which is only attachable to a linked-role linked to the Lambda service. They would be able to use this role in the Lambda execution role, but they would not be able to use this role with another service like EC2 or an IAM user. This supports an admin allowing users to assign out permissions to new resources that users spins up (a new Lambda) that that the admin trusts the linked AWS service to use, but don't want to allow that user to access directly through their user account or give them to other custom applications running in AWS.
I am attempting to launch a Docker container stored in ECR as an AWS batch job. The entrypoint python script of this container attempts to connect to S3 and download a file.
I have attached a role with AmazonS3FullAccess to both the AWSBatchServiceRole in the compute environment and I have also attached a role with AmazonS3FullAccess to the compute resources.
This is the following error that is being logged: botocore.exceptions.ConnectTimeoutError: Connect timeout on endpoint URL: "https://s3.amazonaws.com/"
There is a chance that these instances are being launched in a custom VPC, not the default VPC. I'm not sure this makes a difference, but maybe that is part of the problem. I do not have appropriate access to check. I have tested this Docker image on an EC2 instance launched in the same VPC and everything works as expected.
You mentioned compute environment and compute resources. Did you add this S3 policy to the Job Role as mentioned here?
After you have created a role and attached a policy to that role, you can run tasks that assume the role. You have several options to do this:
Specify an IAM role for your tasks in the task definition. You can create a new task definition or a new revision of an existing task definition and specify the role you created previously. If you use the console to create your task definition, choose your IAM role in the Task Role field. If you use the AWS CLI or SDKs, specify your task role ARN using the taskRoleArn parameter. For more information, see Creating a Task Definition.
Specify an IAM task role override when running a task. You can specify an IAM task role override when running a task. If you use the console to run your task, choose Advanced Options and then choose your IAM role in the Task Role field. If you use the AWS CLI or SDKs, specify your task role ARN using the taskRoleArn parameter in the overrides JSON object. For more information, see Running Tasks.