Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Getting warnings for ECS resource creation but ecs:TagResource already being used

0

We received an email about using the ecs:TagResrouce permissions in our CreateCluster API call. We needed to add that permission to our IAM policy, or it would stop working.

We checked our policies and found that we are already using the tags. We thought this was resolved, but we got another service interruption warning this morning. (e-mail was titled: [Action Required] Update your ECS IAM policies to avoid service interruption )

Has anyone handled this and gotten Amazon to notice the changes or point out where they are happening? We can't seem to resolve this. Any thoughts or suggestions would be appreciated.

Topics
Containers
Tags
Amazon Elastic Container Service
Language
English
asked 2 years ago529 views
2 Answers
0
  1. Verify IAM Policy for Correct Permissions Ensure that the ecs:TagResource permission is correctly specified in your IAM policy. Here’s an example of how the policy should look:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateCluster",
        "ecs:TagResource"
      ],
      "Resource": "*"
    }
  ]
}

2. Check All Relevant Policies

Make sure the ecs:TagResource permission is included in all policies that might be associated with ECS actions. This includes policies attached to roles, users, and groups that are creating or managing ECS clusters.

3. Check for Policy Propagation

Sometimes, changes to IAM policies may take a few minutes to propagate. Ensure that sufficient time has passed since you made the changes.

4. Review Policy Scope

Ensure that the policy is not restricted by conditions that might prevent ecs:TagResource from being applied correctly.

5. CloudTrail Logs

Use AWS CloudTrail to log and review the API calls made to ECS. This can help you identify if the ecs:TagResource action is being called and if it’s being denied due to insufficient permissions.

Go to the CloudTrail console. Create a new trail (if you don’t already have one). Look for CreateCluster events and check if there are any related AccessDenied errors for ecs:TagResource.

6. Service-Linked Roles

Ensure that the ECS service-linked role (ecs.amazonaws.com) has the necessary permissions to call ecs:TagResource. This role should have permissions to manage ECS resources.

7. AWS Support

If you've verified all the above and are still encountering issues, it may be time to contact AWS Support for assistance. Provide them with:

The exact IAM policies you have set up.

Details from the CloudTrail logs.

The email warnings you’ve received.

Example Steps to Contact AWS Support

Go to the AWS Support Center.

Create a new support case.

Select “Technical support” and provide detailed information about the issue.

Attach any relevant logs or screenshots.

EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
-1

If you're sure you've fixed the tagging everywhere, point it out to support.

Look at this link, related to ECS Tagging. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/supported-iam-actions-tagging.html

EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content