"Role is not valid" when trying to register a new ECS task definition with cross account assumed roles

0

Okay this is a tricky one, so I'll try and paint as good of a picture as possible.

Given

  • Multiple AWS accounts
  • Using github OIDC to assume a role in account A
  • The github role in account A then assumes a role in account B that allows it to perform actions in that account

This all works well and haven't had any issues except.

When trying to register a new ECS task definition ex: aws ecs register-task-definition --cli-input-json file://task-definition.json

We're receiving the following from the action Role is not valid

I can perform this action without a hitch from my administrator account using the same task-definition, so I believe the task-definition is correct.

What I've tried

  • provided the assumed role in account B with the following trusted entities
     {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "ecs.amazonaws.com",
                    "codedeploy.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
  • I've given the role in account B full access to all ECS resources
  • I've given the role in account B full admin access - (just to test) None of this worked

Github OIDC role - Account A (111111111111)

// Trust relationships - standard github oidc
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GithubOidcAuth",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::264460841970:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": [
                "sts:TagSession",
                "sts:AssumeRoleWithWebIdentity"
            ],
            "Condition": {
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:OUR_REPO/*:*"
                },
                "ForAllValues:StringEquals": {
                    "token.actions.githubusercontent.com:iss": "http://token.actions.githubusercontent.com",
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}
// permissions
{
    "Statement": [
        {
            "Action": [
                "sts:TagSession",
                "sts:AssumeRole"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::22222222:role/github-deployer-assumed-XXXXX",
            ]
        }
    ],
    "Version": "2012-10-17"
}

Assumed role is designated account - Account B (2222222222)

// Trust relationships 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:role/github-oidc-deployer-XXXXX"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
// Permissions
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"RegisterTaskDefinition",
         "Effect":"Allow",
         "Action":[
            "ecs:RegisterTaskDefinition",
            "ecs:UpdateService",
            "ecs:DescribeServices"
         ],
         "Resource":"*"
      },
      {
         "Sid":"PassRolesInTaskDefinition",
         "Effect":"Allow",
         "Action":[
            "iam:PassRole"
         ],
         "Resource": "*"
      }
   ]
}

PS We are not using CodeDeploy

1回答
0

Please can you provide the GitHub action that’s registering the task. My hunch is that your not assuming the role in account b.

The first statement you added to the trust for the assumed role doesn’t need to be applied to the role that github is assuming.

profile picture
エキスパート
回答済み 10ヶ月前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ