Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS ECS Docker Container Boto3 IAM Permissions

I am attempting to run a boto3 python script inside a docker container using AWS ECS. My script need access to SQS ( get & delete messages ) and Lambda ( permission to search and run ).

In order to get the docker container running on my local machine I was able to pass my aws credentials into the docker container using the following docker run command.

docker run -v ~/.aws:/root/.aws

Recently ECS has announced:

Amazon ECS now supports IAM roles for tasks. When you specify an IAM role for a task, its containers can then use the latest versions of the AWS CLI or SDKs to make API requests to authorized AWS services. Learn More

I attach a task IAM role to the task but upon running the task I get the following error:

Unable to run task ECS was unable to assume the role that was provided for this task. Please verify that the role being passed has the proper trust relationship and permissions and that your IAM user has permissions to pass this role.

Any ideas would be appreciated.

like image 860
michael_65 Avatar asked Aug 19 '16 01:08

michael_65


People also ask

Can you ssh into ECS container?

Amazon ECS container instances have no password, and you use a key pair to log in using SSH.

Does AWS ECS support Docker?

Amazon Elastic Container Service (ECS) is a highly scalable, high performance container management service that supports Docker containers and allows you to easily run applications on a managed cluster of Amazon Elastic Compute Cloud (Amazon EC2) instances.

Does ECS only support Docker containerization?

Amazon ECS supports Docker and enables you to run and manage Docker containers. It even integrates into the Docker Compose CLI, so you can define and run multi-container applications. Applications you package locally as a container will deploy and run on Amazon ECS without the need for any configuration changes.


1 Answers

It looks like IAM Task Roles are now supported in Boto, but regardless, that would be an issue when the Boto client was trying to make a request, not when trying to launch a task.

The issue here is defined in the error message. Either:

1) Your user does not have the iam:PassRole permission defined for the task role. This can be added by editing your user's policy to have a statement similar to the following:

{
  "Effect": "Allow",
  "Action": "iam:PassRole",
  "Resource": "arn:aws:iam::<account>:role/<role name>"
}

2) The Task role you are trying to assign to the task does not have the proper trust relationship. Add the following trust policy to the ECS task role to make sure that it can be assumed by the task.

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
like image 141
louahola Avatar answered Sep 24 '22 23:09

louahola