Hi all, I've been tearing my hair out about this, and I have a feeling the answer will be simple, but beyond me at the moment.
I have an S3 bucket notification that triggers a Lambda function to run a Fargate task to process the uploaded file. The Lambda function can download the file fine, but when invoking 'RunTask' via the AWS Node SDK, I get:
"UnauthorizedOperation: You are not authorized to perform this operation."
When I run the Lambda function locally with a user with Administrator permissions, all works fine, so it must be the Lambda's policy, which I've copied below (redacted values shown):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"ecs:RunTask"
],
"Resource": [
"arn:aws:s3:::<redacted>/",
"arn:aws:s3:::<redacted>",
"arn:aws:ecs:us-east-1:<account_id>:task-definition/<task_def_family_name>:"
]
}
]
}
I have also tried with no ':' wildcard for the task definition ARN, as well as 'ecs:' broad-stroke permissions and no dice.
Am I missing any additonal permissions required for 'RunTask'? Perhaps some read permissions?
Thanks in advance.
