AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Unable to override taskRoleArn when running ECS task from Lambda

1

I have a Lambda function that is supposed to pass its own permissions to the code running in an ECS task. It looks like this:

    ecs_parameters = {
        "cluster": ...,
        "launchType": "FARGATE",
        "networkConfiguration": ...,
        "overrides": {
            "taskRoleArn": boto3.client("sts").get_caller_identity().get("Arn"),
           ...
        },
        "platformVersion": "LATEST",
        "taskDefinition": f"my-task-definition-{STAGE}",
    }
    response = ecs.run_task(**ecs_parameters)

When I run this in Lambda, i get this error:

"errorMessage": "An error occurred (ClientException) when calling the RunTask operation: ECS was unable to assume the role 'arn:aws:sts::787364832896:assumed-role/my-lambda-role...' that was provided for this task. Please verify that the role being passed has the proper trust relationship and permissions and that your IAM user has permissions to pass this role."

If I change the task definition in ECS to use my-lambda-role as the task role, it works. It's specifically when I try to override the task role from Lambda that it breaks.

The Lambda role has the AWSLambdaBasicExecutionRole policy and also an inline policy that grants it ecs:runTask and iam:PassRole. It has a trust relationship that looks like:

"Effect": "Allow",
"Principal": {
  "Service": [
      "ecs.amazonaws.com",
      "lambda.amazonaws.com",
      "ecs-tasks.amazonaws.com"
  ]
},
"Action": "sts:AssumeRole"

The task definition has a policy that grants it sts:AssumeRole and iam:PassRole, and a trust relationship that looks like:

"Effect": "Allow",
"Principal": {
   "Service": "ecs-tasks.amazonaws.com",
    "AWS": "arn:aws:iam::account-ID:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS"
},
"Action": "sts:AssumeRole"

How do I allow the Lambda function to pass the role to ECS, and ECS to assume the role it's been given?

P.S. - I know a lot of these permissions are overkill, so let me know if there are any I can get rid of :) Thanks!

  • MichaelFischer 전문가
    2년 전

    Can you supply the policy statements attached to the Lambda execution role?

  • AWS-User-4882383
    2년 전

    I'm using the AWS-managed Lambda execution role (if that's what you were asking). "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*"

주제
서버리스컴퓨팅보안, 신원 및 규정 준수컨테이너
태그
AWS LambdaAWS 자격 증명 및 액세스 관리AWS Fargate아마존 엘라스틱 컨테이너 서비스IAM 정책
언어
English
AWS-User-4882383
질문됨 2년 전1476회 조회
2개 답변
0

In order for your Lambda function to pass the role to RunTask, the function's execution role policy needs to allow both ecs:RunTask and iam:PassRole. The policy currently associated with the function does not allow these actions.

Note: The ECS Task Role does not need these permissions. The Task Role only needs those permissions necessary for the functioning of the application itself.

AWS
전문가
MichaelFischer
답변함 2년 전
  • AWS-User-4882383
    2년 전

    Thanks for the response! I think I might have been unclear. The Lambda function also has this inline policy:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ecs:runTask",
                "iam:PassRole"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

    in addition to the AWSLambdaBasicExecutionRole and various other policies.

  • AWS-User-4882383
    2년 전

    I should also note that when I try to run this locally, I get:

    botocore.errorfactory.ClientException: An error occurred (ClientException) when calling the RunTask operation: ECS was unable to assume the role 'arn:aws:iam::account-ARN:user/my-user' that was provided for this task. Please verify that the role being passed has the proper trust relationship and permissions and that your IAM user has permissions to pass this role.

    My user has Administrator Access, so I believe the problem is on the ECS side rather than on the Lambda side. Let me know if there's any more information I can provide. Thanks!

0

Hello,

Thank you for clarifying that Lambda execution role has required proper permission to run ECS task and IAM PassRole. The trust relationship policy configuration also looks good, allowing ECS task to assume the role. Here is the general troubleshooting guideline to troubleshoot this issue:

https://aws.amazon.com/premiumsupport/knowledge-center/ecs-unable-to-assume-role/

For further troubleshooting, we will need to look into account specific details. Please reach out to AWS support to investigate the issue.

AWS
지원 엔지니어
Isha_K
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠