Menu
I'm trying to get a list of tasks that running on my ECS environment from AWS API, but I'm getting the same error all the time:
User: arn:aws:iam::[my_id]:user/[username] is not authorized to perform: ecs:ListTasks on resource: *
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecs:RunTask",
"ecs:ListTasks",
"ecs:StartTask",
"ecs:StopTask"
],
"Resource": [
"arn:aws:ecs:us-east-1:[my_id]:task/*",
"arn:aws:ecs:us-east-1:[my_id]:task-definition/*",
"arn:aws:ecs:us-east-1:[my_id]:cluster/*",
"arn:aws:ecs:us-east-1:[my_id]:task-set/*/*/*",
"arn:aws:ecs:us-east-1:[my_id]:container-instance/*",
"arn:aws:ecs:us-east-1:[my_id]:service/*"
]
}
]
}
So as you can see I should access the action with all the available resources. What am I missing?
Thank's.
276
Open the Amazon ECS console at https://console.aws.amazon.com/ecs/ . In the navigation pane, choose Task Definitions and select the task definition to run. To run the latest revision of a task definition, select the box to the left of the task definition to run.
There isn't any specific AWS command which can fetch the task ARN from the container runtime id. But this can be achieved using list-tasks and describe-tasks command of aws ecs, if you know the cluster and service name in prior.
Resolution. To resolve the error, choose a resolution based on your use case: If there are no container instances registered in your cluster, then add container instances to your cluster. If the port required by the task is in use, then add container instances to your cluster, or reduce your number of desired tasks.
An authentication token wasn't found in the request. The authentication token in the request has expired. The caller used an invalid API key for a method that requires an API key. "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method."
By default, AWS Identity and Access Management (IAM) users don't have permission to create or modify Amazon EC2 resources, or perform tasks using the Amazon EC2 API, unless they've been explicitly granted permission through IAM policies.
Note that API requests made by IAM users are attributed to the underlying AWS account. The Amazon EC2 API actions are divided into the following categories: Describe actions, such as DescribeInstances and DescribeVolumes. These requests simply retrieve cached data, so they have the highest request limit.
We throttle Amazon EC2 API requests for each AWS account on a per-Region basis to help the performance of the service. We ensure that all calls to the Amazon EC2 API (whether they originate from an application, calls to a command line interface, or the Amazon EC2 console) don't exceed the maximum allowed API request rate.
The listTasks action only supports container instances as the resources not the cluster arn. The cluster arn only could be added as a condition.
The following policy works.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ecs:ListTasks",
"Resource": "*",
"Condition": {
"ArnEquals": {
"ecs:cluster": "arn:aws:ecs:ap-southeast-2:[account id]:cluster/MyEcsCluster"
}
}
}
]
}
Reference:
Actions defined by Amazon Elastic Container Service
(check the ListTasks action in this reference)
Hope this helps.
86
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
