AWS ECS Docker Container Boto3 IAM Permissions

Question

I am attempting to run a boto3 python script inside a docker container using AWS ECS. My script need access to SQS ( get & delete messages ) and Lambda ( permission to search and run ).

In order to get the docker container running on my local machine I was able to pass my aws credentials into the docker container using the following docker run command.

docker run -v ~/.aws:/root/.aws

Recently ECS has announced:

Amazon ECS now supports IAM roles for tasks. When you specify an IAM role for a task, its containers can then use the latest versions of the AWS CLI or SDKs to make API requests to authorized AWS services. Learn More

I attach a task IAM role to the task but upon running the task I get the following error:

Unable to run task ECS was unable to assume the role that was provided for this task. Please verify that the role being passed has the proper trust relationship and permissions and that your IAM user has permissions to pass this role.

Any ideas would be appreciated.

Answer 1

It looks like IAM Task Roles are now supported in Boto, but regardless, that would be an issue when the Boto client was trying to make a request, not when trying to launch a task.

The issue here is defined in the error message. Either:

1) Your user does not have the iam:PassRole permission defined for the task role. This can be added by editing your user's policy to have a statement similar to the following:

{
  "Effect": "Allow",
  "Action": "iam:PassRole",
  "Resource": "arn:aws:iam::<account>:role/<role name>"
}

2) The Task role you are trying to assign to the task does not have the proper trust relationship. Add the following trust policy to the ECS task role to make sure that it can be assumed by the task.

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}