Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why I am getting "not authorized to perform: ecs:ListTasks on resource: *" exception on AWS API

I'm trying to get a list of tasks that running on my ECS environment from AWS API, but I'm getting the same error all the time:

User: arn:aws:iam::[my_id]:user/[username] is not authorized to perform: ecs:ListTasks on resource: *

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecs:RunTask",
                "ecs:ListTasks",
                "ecs:StartTask",
                "ecs:StopTask"
            ],
            "Resource": [
                "arn:aws:ecs:us-east-1:[my_id]:task/*",
                "arn:aws:ecs:us-east-1:[my_id]:task-definition/*",
                "arn:aws:ecs:us-east-1:[my_id]:cluster/*",
                "arn:aws:ecs:us-east-1:[my_id]:task-set/*/*/*",
                "arn:aws:ecs:us-east-1:[my_id]:container-instance/*",
                "arn:aws:ecs:us-east-1:[my_id]:service/*"
            ]
        }
    ]
}

So as you can see I should access the action with all the available resources. What am I missing?

Thank's.

like image 276
Tamir Ohana Avatar asked Jan 05 '20 23:01

Tamir Ohana


People also ask

How do I run ECS on AWS?

Open the Amazon ECS console at https://console.aws.amazon.com/ecs/ . In the navigation pane, choose Task Definitions and select the task definition to run. To run the latest revision of a task definition, select the box to the left of the task definition to run.

How do I find my Arn ECS task?

There isn't any specific AWS command which can fetch the task ARN from the container runtime id. But this can be achieved using list-tasks and describe-tasks command of aws ecs, if you know the cluster and service name in prior.

Was unable to place a task because no container instance met all of its requirements reason no container instances were found in your cluster?

Resolution. To resolve the error, choose a resolution based on your use case: If there are no container instances registered in your cluster, then add container instances to your cluster. If the port required by the task is in use, then add container instances to your cluster, or reduce your number of desired tasks.

Why is my AWS authentication token not found in the request?

An authentication token wasn't found in the request. The authentication token in the request has expired. The caller used an invalid API key for a method that requires an API key. "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method."

Can I create and modify resources using the Amazon EC2 API?

By default, AWS Identity and Access Management (IAM) users don't have permission to create or modify Amazon EC2 resources, or perform tasks using the Amazon EC2 API, unless they've been explicitly granted permission through IAM policies.

What API requests are attributed to the underlying AWS account?

Note that API requests made by IAM users are attributed to the underlying AWS account. The Amazon EC2 API actions are divided into the following categories: Describe actions, such as DescribeInstances and DescribeVolumes. These requests simply retrieve cached data, so they have the highest request limit.

Why do we throttle Amazon EC2 API requests?

We throttle Amazon EC2 API requests for each AWS account on a per-Region basis to help the performance of the service. We ensure that all calls to the Amazon EC2 API (whether they originate from an application, calls to a command line interface, or the Amazon EC2 console) don't exceed the maximum allowed API request rate.


Video Answer


1 Answers

The listTasks action only supports container instances as the resources not the cluster arn. The cluster arn only could be added as a condition.

The following policy works.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ecs:ListTasks",
            "Resource": "*",
            "Condition": {
                "ArnEquals": {
                    "ecs:cluster": "arn:aws:ecs:ap-southeast-2:[account id]:cluster/MyEcsCluster"
                }
            }
        }
    ]
}

Reference: Actions defined by Amazon Elastic Container Service (check the ListTasks action in this reference)

Hope this helps.

like image 86
Arun Kamalanathan Avatar answered Sep 21 '22 11:09

Arun Kamalanathan