"Role is not valid" when trying to register a new ECS task definition with cross account assumed roles

0

Okay this is a tricky one, so I'll try and paint as good of a picture as possible.

Given

  • Multiple AWS accounts
  • Using github OIDC to assume a role in account A
  • The github role in account A then assumes a role in account B that allows it to perform actions in that account

This all works well and haven't had any issues except.

When trying to register a new ECS task definition ex: aws ecs register-task-definition --cli-input-json file://task-definition.json

We're receiving the following from the action Role is not valid

I can perform this action without a hitch from my administrator account using the same task-definition, so I believe the task-definition is correct.

What I've tried

  • provided the assumed role in account B with the following trusted entities
     {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "ecs.amazonaws.com",
                    "codedeploy.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
  • I've given the role in account B full access to all ECS resources
  • I've given the role in account B full admin access - (just to test) None of this worked

Github OIDC role - Account A (111111111111)

// Trust relationships - standard github oidc
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GithubOidcAuth",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::264460841970:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": [
                "sts:TagSession",
                "sts:AssumeRoleWithWebIdentity"
            ],
            "Condition": {
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:OUR_REPO/*:*"
                },
                "ForAllValues:StringEquals": {
                    "token.actions.githubusercontent.com:iss": "http://token.actions.githubusercontent.com",
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}
// permissions
{
    "Statement": [
        {
            "Action": [
                "sts:TagSession",
                "sts:AssumeRole"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::22222222:role/github-deployer-assumed-XXXXX",
            ]
        }
    ],
    "Version": "2012-10-17"
}

Assumed role is designated account - Account B (2222222222)

// Trust relationships 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:role/github-oidc-deployer-XXXXX"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
// Permissions
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"RegisterTaskDefinition",
         "Effect":"Allow",
         "Action":[
            "ecs:RegisterTaskDefinition",
            "ecs:UpdateService",
            "ecs:DescribeServices"
         ],
         "Resource":"*"
      },
      {
         "Sid":"PassRolesInTaskDefinition",
         "Effect":"Allow",
         "Action":[
            "iam:PassRole"
         ],
         "Resource": "*"
      }
   ]
}

PS We are not using CodeDeploy

1 Resposta
0

Please can you provide the GitHub action that’s registering the task. My hunch is that your not assuming the role in account b.

The first statement you added to the trust for the assumed role doesn’t need to be applied to the role that github is assuming.

profile picture
ESPECIALISTA
respondido há 9 meses

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas