How can I configure ECS task role to limit access from ECS Fargate Task to AWS resources by Task Tag?
I'm creating ECS task definition and executing task by RunTask operation.
I want to allow ECS task to retrieve S3 file s3://esolang-worker/0123456789/code. This can be configured by ECS task role and IAM Policy attached to it.
How can I allow access to S3 file only when ECS task has a specific tag? For example, Tag name = "Status" and Tag value = "OK"?
I configured the following CloudFormation resource and tagged ECS task with "Status: OK", but access is denied.
- Effect: Allow Action: - 's3:GetObject' Resource: - 'arn:aws:s3:::esolang-worker/0123456789/code' Condition: StringEquals: 'aws:RequestTag/Status': 'OK'
Full configuration
AWSTemplateFormatVersion: 2010-09-09 Resources: ECSTestTaskDefinition: Type: 'AWS::ECS::TaskDefinition' Properties: TaskRoleArn: !GetAtt ECSTestTaskRole.Arn ExecutionRoleArn: !GetAtt ECSTestExecutionRole.Arn ContainerDefinitions: - Name: Test Image: public.ecr.aws/aws-cli/aws-cli Command: - 's3' - 'cp' - 's3://esolang-worker/0123456789/code' - '-' Essential: true LogConfiguration: LogDriver: awslogs Options: awslogs-group: /ecs/test awslogs-region: ap-northeast-1 awslogs-create-group: 'true' awslogs-stream-prefix: ecs Family: ecs-test Cpu: 256 Memory: 512 NetworkMode: awsvpc RequiresCompatibilities: - FARGATE RuntimePlatform: OperatingSystemFamily: LINUX ECSTestTaskRole: Type: AWS::IAM::Role Properties: RoleName: ecs-test-task-role AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: [ecs-tasks.amazonaws.com] Action: ['sts:AssumeRole'] Policies: - PolicyName: AllowTaskToRetrieveS3File PolicyDocument: Statement: - Effect: Allow Action: - 's3:ListBucket' Resource: - 'arn:aws:s3:::esolang-worker' - Effect: Allow Action: - 's3:GetObject' Resource: - 'arn:aws:s3:::esolang-worker/0123456789/code' Condition: StringEquals: 'aws:RequestTag/Status': 'OK' ECSTestExecutionRole: Type: AWS::IAM::Role Properties: RoleName: ecs-test-execution-role AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: [ecs-tasks.amazonaws.com] Action: ['sts:AssumeRole'] ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy Policies: - PolicyName: AllowTaskToCreateLogStreamAndPutLog PolicyDocument: Statement: - Effect: Allow Action: - 'logs:CreateLogStream' - 'logs:CreateLogGroup' - 'logs:DescribeLogStreams' - 'logs:PutLogEvents' Resource: '*'
By running task from AWS console with the following configurations:
this example outputs the following message.
download failed: s3://esolang-worker/0123456789/code to - An error occurred (403) when calling the HeadObject operation: Forbidden
When I remove Condition from s3:GetObject policy, this example successfully displays file content.
- Newest
- Most votes
- Most comments
The aws:RequestTag condition key is used to control access based on the tags associated with the AWS request, not the resource (in this case, the ECS task). In the ECS context, tasks don't have tags associated with the request itself.
Instead, you can use the aws:ResourceTag condition key to control access based on the tags associated with the ECS task. Here's how you can modify your IAM policy to achieve this:
Policies: - PolicyName: AllowTaskToRetrieveS3File PolicyDocument: Statement: - Effect: Allow Action: - 's3:ListBucket' Resource: - 'arn:aws:s3:::esolang-worker' - Effect: Allow Action: - 's3:GetObject' Resource: - 'arn:aws:s3:::esolang-worker/0123456789/code' Condition: StringEquals: 'aws:ResourceTag/Status': 'OK'
In this updated policy, the aws:ResourceTag/Status condition key checks for the Status tag on the ECS task itself. If the task has a tag with the key Status and value OK, it will be granted access to the S3 object s3://esolang-worker/0123456789/code.
To tag your ECS task, you need to add the tag to the task definition. You can do this by modifying the ECSTestTaskDefinition resource in your CloudFormation template:
ECSTestTaskDefinition: Type: 'AWS::ECS::TaskDefinition' Properties: TaskRoleArn: !GetAtt ECSTestTaskRole.Arn ExecutionRoleArn: !GetAtt ECSTestExecutionRole.Arn ContainerDefinitions: # ... (container definitions) Family: ecs-test Cpu: 256 Memory: 512 NetworkMode: awsvpc RequiresCompatibilities: - FARGATE RuntimePlatform: OperatingSystemFamily: LINUX Tags: - Key: Status Value: OK
With this configuration, any ECS task created from the ECSTestTaskDefinition will have the Status: OK tag, and the IAM policy will grant access to the S3 object based on this tag.
Note that tags are associated with resources at the time of creation, so if you need to change the tags on an existing task, you'll need to update the task definition and update your service or run a new task using it.
Have you tried with that counterpart translation of
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Env",
"CostCenter"
]
}
}
?
Reference: https://repost.aws/knowledge-center/iam-tag-based-restriction-policies
Relevant content
- asked a year ago
- asked 4 months ago
- asked a year ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 9 months ago
I tried the following configuration, but the result is that the access to S3 is allowed for the tasks with any value of
Statustag.