By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to set up IAM roles/policies to run Fargate tasks inside a step function?

1

Hi,

I followed the wizard to create an ECS/fargate cluster and a basic step function state machine. I was able to run the state machine once (after working through a few permissions issues), though the container exited. I updated the task definition (specifically, all I changed was the container's entrypoint and command), and I'm now encountering a new IAM issue despite not (to my knowledge) changing anything related to the state machine or cluster's roles.

Error
ECS.AccessDeniedException

Cause
User: arn:aws:sts::****:assumed-role/StepFunctions-hello-role-****/**** is not authorized to perform: ecs:RunTask on resource: arn:aws:ecs:us-west-2:****:task-definition/hello-task:2 because no identity-based policy allows the ecs:RunTask action (Service: AmazonECS; Status Code: 400; Error Code: AccessDeniedException; Proxy: null)

Is there a particular resource that needs to have this role/policy assigned that I'm missing? I don't know how to set or access permissions for "assumed roles" before or after the state machine runs.

Thanks!

Topics
ServerlessApplication IntegrationSecurity, Identity, & ComplianceContainers
Tags
AWS Step FunctionsAWS Identity and Access ManagementAWS FargateAmazon Elastic Container ServiceContainers
Language
English
mstone-modulus
asked 2 years ago719 views
1 Answer
0

Here are a couple of good reference links to review. The first one describes in detail considerations for identity based policies with ECS, while the second link provides detail on managing ECS/Fargate tasks from Step Functions. ECS Identity Policies Step Functions and ECS/Fargate

AWS
AWSdave
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content