How to set up IAM roles/policies to run Fargate tasks inside a step function?

Question

Hi,

I followed the wizard to create an ECS/fargate cluster and a basic step function state machine. I was able to run the state machine once (after working through a few permissions issues), though the container exited. I updated the task definition (specifically, all I changed was the container's entrypoint and command), and I'm now encountering a new IAM issue despite not (to my knowledge) changing anything related to the state machine or cluster's roles.

```
Error
ECS.AccessDeniedException

Cause
User: arn:aws:sts::****:assumed-role/StepFunctions-hello-role-****/**** is not authorized to perform: ecs:RunTask on resource: arn:aws:ecs:us-west-2:****:task-definition/hello-task:2 because no identity-based policy allows the ecs:RunTask action (Service: AmazonECS; Status Code: 400; Error Code: AccessDeniedException; Proxy: null)
```

Is there a particular resource that needs to have this role/policy assigned that I'm missing? I don't know how to set or access permissions for "assumed roles" before or after the state machine runs.

Thanks!

Answer

Here are a couple of good reference links to review.  The first one describes in detail considerations for identity based policies with ECS, while the second link provides detail on managing ECS/Fargate tasks from Step Functions.
[ECS Identity Policies](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security_iam_id-based-policy-examples.html)
[Step Functions and ECS/Fargate](https://docs.aws.amazon.com/step-functions/latest/dg/connect-ecs.html)

How to set up IAM roles/policies to run Fargate tasks inside a step function?

관련 콘텐츠