"Role is not valid" when trying to register a new ECS task definition with cross account assumed roles

Question

Okay this is a tricky one, so I'll try and paint as good of a picture as possible.

Given
- Multiple AWS accounts
- Using github OIDC to assume a role in account A
- The github role in account A then assumes a role in account B that allows it to perform actions in that account

This all works well and haven't had any issues except.

When trying to register a new ECS task definition
ex: `aws ecs register-task-definition --cli-input-json file://task-definition.json`

We're receiving the following from the action `Role is not valid`

I can perform this action without a hitch from my administrator account using the same task-definition, so I believe the task-definition is correct.

What I've tried
- provided the assumed role in account B with the following trusted entities
```
     {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "ecs.amazonaws.com",
                    "codedeploy.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
```
- I've given the role in account B full access to all ECS resources
- I've given the role in account B full admin access - (just to test)
None of this worked

Github OIDC role - Account A (111111111111)
```
// Trust relationships - standard github oidc
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GithubOidcAuth",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::264460841970:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": [
                "sts:TagSession",
                "sts:AssumeRoleWithWebIdentity"
            ],
            "Condition": {
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:OUR_REPO/*:*"
                },
                "ForAllValues:StringEquals": {
                    "token.actions.githubusercontent.com:iss": "http://token.actions.githubusercontent.com",
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}
// permissions
{
    "Statement": [
        {
            "Action": [
                "sts:TagSession",
                "sts:AssumeRole"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::22222222:role/github-deployer-assumed-XXXXX",
            ]
        }
    ],
    "Version": "2012-10-17"
}
```

Assumed role is designated account - Account B (2222222222)
```
// Trust relationships 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:role/github-oidc-deployer-XXXXX"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
// Permissions
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"RegisterTaskDefinition",
         "Effect":"Allow",
         "Action":[
            "ecs:RegisterTaskDefinition",
            "ecs:UpdateService",
            "ecs:DescribeServices"
         ],
         "Resource":"*"
      },
      {
         "Sid":"PassRolesInTaskDefinition",
         "Effect":"Allow",
         "Action":[
            "iam:PassRole"
         ],
         "Resource": "*"
      }
   ]
}
```

PS We are not using CodeDeploy

Answer

Please can you provide the GitHub action that’s registering the task. My hunch is that your not assuming the role in account b.

The first statement you added to the trust for the assumed role doesn’t need to be applied to the role that github is assuming.

"Role is not valid" when trying to register a new ECS task definition with cross account assumed roles

관련 콘텐츠