I am attempting to run a boto3 python script inside a docker container using AWS ECS. My script need access to SQS ( get & delete messages ) and Lambda ( permission to search and run ).
In order to get the docker container running on my local machine I was able to pass my aws credentials into the docker container using the following docker run command.
docker run -v ~/.aws:/root/.aws
Recently ECS has announced:
Amazon ECS now supports IAM roles for tasks. When you specify an IAM role for a task, its containers can then use the latest versions of the AWS CLI or SDKs to make API requests to authorized AWS services. Learn More
I attach a task IAM role to the task but upon running the task I get the following error:
Unable to run task
ECS was unable to assume the role that was provided for this task. Please verify that the role being passed has the proper trust relationship and permissions and that your IAM user has permissions to pass this role.
Any ideas would be appreciated.
It looks like IAM Task Roles are now supported in Boto, but regardless, that would be an issue when the Boto client was trying to make a request, not when trying to launch a task.
The issue here is defined in the error message. Either:
1) Your user does not have the iam:PassRole permission defined for the task role. This can be added by editing your user's policy to have a statement similar to the following:
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::<account>:role/<role name>"
}
2) The Task role you are trying to assign to the task does not have the proper trust relationship. Add the following trust policy to the ECS task role to make sure that it can be assumed by the task.
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Boto3 uses the botocore library for its API functions, and it allows a range of botocore versions for each Boto3 version, so even if you have the latest Boto3 version, you may not have the latest botocore.
Botocore supports ECS IAM roles for tasks as of version 1.4.37, so if you update the underlying botocore in your environment to at least that version, you should be able to use the ECS IAM roles for tasks feature.
Related
I've currently writing a Terraform module for EC2 ASGs with ECS. Everything about starting the instances works, including IAM-dependent actions such as KMS-encrypted volumes. However, the ECS agent fails with:
Error getting ECS instance credentials from default chain: NoCredentialProviders: no valid providers in chain.
Unfortunately, most posts I find about this are about the CLI being run without credentials configured, however this should of course use the instance profile.
The posts I do find regarding that are about missing IAM policies for the instance role. However, I do have this trust relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"ecs.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
(Added ECS because someone on SO had it in there, I don't think that's right. Also removed some conditions.)
It has these policies attached:
AmazonSSMManagedInstanceCore
AmazonEC2ContainerServiceforEC2Role
When I connect via SSH and try to run awscli commands, I get the error
Unable to locate credentials. You can configure credentials by running "aws configure".
running any command.
But with
curl http://169.254.169.254/latest/meta-data/iam/info
I see the correct instance profile ARN and with
curl http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance
I see temporary credentials. With these in the awscli configuration,
aws sts get-caller-identity
returns the correct results. There are no iptables rules or routes blocking access to the metadata service and I've deactivated IMDSv2 token requirement for the time being.
I'm using the latest stable version of ECS-optimized Amazon Linux 2.
What might be the issue here?
I'm now having a private ECR repo and a EC2 instance. If I would like to pull the image from the private ECR in my local machine, I have to setup my AWS credential by using aws configure and perform a docker login.
And now, I want to pull image from the EC2 instance. When I am trying to run docker command directly, it told me to authenticate first. Is it possible to attach IAM role to my EC2 instance and skip the docker login or aws ecr login workflow?
At this moment, I can only run aws configure inside the EC2 instance, and it seems need an extra IAM user which I am trying to avoid.
You don't have to run aws configure in on EC2 machine, in fact this would a bad security practice. You should attach an AWS role which allows the EC2 instance to fetch image and more importantly, be abel to grab the authorization token for the ECR registry. For example, you can create a policy with the following permissions to have read-only access to ECR images:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ecr:GetAuthorizationToken",
"ecr:ListImages"
],
"Resource": "*"
}
]
}
Using this policy, create a new IAM service role and attach it attached to the EC2 instance.
Now, even if you have this role attached, you will have to authenticate the Docker CLI using an authorization token.
In addition to the other answers posted here stating you should use the EC2 IAM role instead of configuring a role with aws configure, I also suggest installing the Amazon ECR Credential Helper on your EC2 instance. Then you won't have to perform a docker login.
I have to setup my AWS credential by using aws configure and perform a docker login.
You don't have to. If your code runs on EC2, you should use instance IAM role instead of regular setup of aws credentials using aws configure.
I am trying to use the AWS SageMaker Studio > Get Started > Quick Start, as an IAM user with the AmazonSageMakerFullAccess policy attached, but I am getting the following error:
User: arn:aws:iam::<user-id>:user/<username> is not authorized to perform: sagemaker:CreateDomain on resource: arn:aws:sagemaker:us-west-1:<user-id>:domain/d-<domain-id>
I looked up some documentation on the CreateDomain command, and it looks like it involves EFS storage and VPC configuration, so I have also added the FullAccess policies for these services to my IAM user, but am still getting the same error.
I also tried adding a custom policy as shown here: https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-roles.html#sagemaker-roles-createdomain-perms which also seemed to have no effect.
What am I doing wrong here?
AmazonSageMakerFullAccess policy gives the user access to perform actions such as start training jobs, deploy endpoints, along with limited access on other services such as ECR, Glue etc. This is generally attached to a SageMaker notebook instance or Studio.
The user creating the SageMaker domain needs sagemaker:CreateDomain permission, i.e., to your IAM user, add:
{
"Sid": "AllowCreateDomain",
"Effect": "Allow",
"Action": "sagemaker:CreateDomain",
"Resource": "*"
}
I work at AWS and my opinions are my own.
I am going to Update existing Api gateway through aws cli commands (https://docs.aws.amazon.com/cli/latest/reference/apigateway/put-rest-api.html) from AWS CodePipeline and meet problem that CodeBuild has
An error occurred (AccessDeniedException) when calling the GetRestApis operation: User: arn:aws:sts:<skipped_text> is not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:us-west-2::/restapis
Is it possible to update Api gateway through code using CodePipeline and aws cli?
Or What do you use as a tool for updating apigateway?
Make sure to add following policy to the IAM user in order to allow admin access (CREATE, READ, UPDATE, DELETE) to API gateway,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": "arn:aws:apigateway:*::/*"
}
]
}
which also exists under amazon managed policies, AmazonAPIGatewayAdministrator,
1) Please check your credential working properly or not ,It appears that the credentials used in your AWS SDK do not have valid permissions on the API Gateway API.
You will need to define a policy for the user/role similar to below.
http://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html
2) When using CloudFormation with CodePipeline, need to create a role that can be assumed by CloudFormation,CodePipeline moves releases through a pipeline using the role you specify for a pipeline. CloudFormation needs permission to assume a separate role that you create for the CloudFormation action (it's not enough to create a role with permission to access other resources).
References
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-basic-walkthrough.html
https://s3.amazonaws.com/cloudformation-examples/user-guide/continuous-deployment/basic-pipeline.yml
aws forums
I'm trying to add aws cloudwatch agent to see additional metrics using tutorial
A brief review of what I did:
Create AIM role and attach to EC2 instance doc (NOTE: I do not use Parameter Store just for communication between EC2 and cloudwatch)
Install Agent using s3 link
Create agent configuration file docs
Run agent using CLI dosc
But it still not working and in agent log, I see errors like
ec2tagger: Unable to initialize EC2 Instance Tags : +NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
While googling I found not much related to cloudwath just only that in AIM role in 'Trust Relationship' config ec2 should be mentioned in service section and it is:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Any ideas, thanks!?
In my case the instance had an IAM role attached, but the role was missing the ec2:DescribeTags permission. Adding that fixed the problem.
"The first procedure creates the IAM role that you must attach to each Amazon EC2 instance that runs the CloudWatch agent. This role provides permissions for reading information from the instance and writing it to CloudWatch." in docs
please attach IAM role that you created to your ec2 instance first,it works for me
The cloudwatch agent process that runs in the ec2 should be able to describe the tags of ec2. The permission required for that is ec2:DescribeTags.
Attaching instance role with the managed policy arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy will resolve the problem.
Check to see if the CloudWatch Agent service is running (started)
I got the same issue, resolve by using below command, refresh routes
Import-Module C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psm1; Add-Routes
Solved by running aws configure from inside the instance