How do I configure my IAM task role in Amazon ECS to avoid "Access Denied" errors when I make API calls?

Short description

To avoid the Access Denied error, include your IAM role in your Amazon ECS task definition.

You must turn on the IAM role in your ECS container agent configuration file. And, make sure that your IAM role has all the required permissions so that your task can use the role to make the API calls.

Note: If a task can't find the IAM task role because of configuration issues, then the task uses the Amazon Elastic Compute Cloud (Amazon EC2) instance role.

Resolution

Confirm that the ECS container agent is running

Run the docker ps command:

docker ps

Note: If you restart the instance, then the rules for iptables are reset to the default. To avoid a reset, run one of the following commands to save the rules.

Amazon ECS-optimized Amazon Linux Amazon Machine Image (AMI):

sudo service iptables save

Amazon ECS-optimized Amazon Linux 2 AMI:

sudo iptables-save | sudo tee /etc/sysconfig/iptables && sudo systemctl enable --now iptables

Turn on your IAM role in your ECS container agent configuration file

Complete the following steps:

1. Open your /etc/ecs/ecs.config file.

2. To turn on the IAM role for tasks in containers with bridge and default network modes, set ECS_ENABLE_TASK_IAM_ROLE to true:

   ECS_ENABLE_TASK_IAM_ROLE=true

3. To turn on the IAM role for tasks in containers with the host network mode, set ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST to true:

   ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST=true

4. To update the configuration file, run one of the following commands to restart the ECS container agent:
   Amazon ECS-optimized Amazon Linux AMI:

   sudo stop ecs
   sudo start ecs

   Amazon ECS-optimized Amazon Linux 2 AMI:

   sudo systemctl restart ecs

Update the IAM role trust policy

To assign your IAM role to your Amazon ECS tasks, update your IAM role trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Update the HTTP_PROXY settings for the ECS container agent

If you use HTTP_PROXY on your Amazon ECS container agent configuration, then apply the following NO_PROXY setting:

NO_PROXY=169.254.169.254,169.254.170.2,/var/run/docker.sock

Use the latest AWS SDK version

The application that runs in your container must use a 2016 or later version of the AWS SDK. To update your AWS, see AWS SDKs and tools version support and Tools to build on AWS.

Configure iptables rules for a non Amazon ECS-optimized AMI

If you use a non Amazon ECS-optimized AMI, then set the required rules for iptables.

Make the environment variable available to non-PID 1 processes

The AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable is available only to PID 1 processes within a container. If the container is running multiple or init processes, then the environment variable is unavailable to non-PID 1 processes.

To set your environment variable to be available to non-PID 1 processes, export the environment variable in the .profile file. For example, run the following command to export the environment variable in the Dockerfile for your container image:

RUN echo 'export $(strings /proc/1/environ | grep AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)' >> /root/.profile

Note: When you export the environment variable, there's a dependency on the strings and grep commands.

Related information

Amazon EC2 Windows instance additional configuration