How do I troubleshoot permissions issues in Amazon ECS?

2 minute read

I want to run an Amazon Elastic Container Service (Amazon ECS) task, but I receive an AccessDenied error.

Short description

AccessDenied errors occur when the AWS Identity and Access Management (IAM) role that your Amazon ECS resource uses doesn't have the required permissions to run an action on an AWS resource. To resolve this issue, add the missing permissions to the IAM role.

Resolution

To confirm that your IAM role doesn't have the required permissions, check your service event messages and your Amazon ECS task logs for stopped task errors.

You receive the following error message when your Amazon ECS resource's IAM role doesn't have the required permissions:

"User: arn:aws:iam::123456789012:rolename is not authorized to perform: ecs:action on resource: arn:aws:ecs:region:123456789012:resource-type/resource-name"

In the preceding example error message, arn:aws:iam::123456789012:rolename is the IAM role, ecs:action is the missing permission, and arn:aws:ecs:region:123456789012:resource-type/resource-name is the affected resource. Note these values to use in your permissions policy.

Use Amazon ECS managed policies

When you use IAM roles for Amazon ECS, it's a best practice to use Amazon ECS managed policies. Amazon ECS managed policies include the most common required permissions.

To use an Amazon ECS managed policy, complete the following steps:

Open the IAM console.
In the navigation pane, choose Roles.
Select the affected IAM role.
Choose Add permissions, and then choose Attach policies directly.
In the search bar, enter and select a managed policy based on the required permissions for the IAM role.
Choose Next, and then choose Add permissions.
To test the permissions, run the operation that failed.

Create an inline policy

To set up custom permissions, create an inline policy based on your permissions requirements, and then attach the policy to the Amazon ECS IAM role.

Related information

Identity and Access Management for Amazon Elastic Container Service

How do I configure my Amazon ECS task to assume an IAM role in another AWS account?

Topics

Containers

Relevant content

No access error during access to Management Console from the Access Portal for an IAM Identity Center's user with AdministratorAccess &/| PowerUserAccess permission sets
N
asked 4 months ago
Amazon ECS container permissions issue
Accepted Answer
chubbsondubs
asked 12 days ago
EC2, ECS Agent Failing to Start – IAM Role & Docker API Version Issues
Santiago
asked 3 days ago
ECS Fargate Task Unable to Retrieve IAM Credentials - Access Issue
Pavan Kumar Nayakanti
asked 5 months ago
'An error occurred (TargetNotConnectedException) when calling the ExecuteCommand operation' trying to access NGINX container on ECS EC2 container host
Daniel Z
asked 2 years ago
How do I resolve the error "An error occurred (TargetNotConnectedException) when calling the ExecuteCommand operation" in Amazon ECS?
AWS OFFICIALUpdated 10 months ago
How do I troubleshoot the error “ECS was unable to assume the role” when I run Amazon ECS tasks?
AWS OFFICIALUpdated 8 months ago
How do I troubleshoot common errors with API calls in Amazon ECS?
AWS OFFICIALUpdated 6 months ago
How do I troubleshoot issues related to AWS Secrets Manager secrets in Amazon ECS?
AWS OFFICIALUpdated 2 years ago
Support Automation Workflow (SAW) Runbook: Contain a compromised Identity and Access Management (IAM) User/Role
EXPERT
Maya Karalic
published 4 months ago