AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.
How can I configure ECS task role to limit access from ECS Fargate Task to AWS resources by Task Tag?
I'm creating ECS task definition and executing task by RunTask operation.
I want to allow ECS task to retrieve S3 file s3://esolang-worker/0123456789/code. This can be configured by ECS task role and IAM Policy attached to it.
How can I allow access to S3 file only when ECS task has a specific tag? For example, Tag name = "Status" and Tag value = "OK"?
I configured the following CloudFormation resource and tagged ECS task with "Status: OK", but access is denied.
- Effect: Allow Action: - 's3:GetObject' Resource: - 'arn:aws:s3:::esolang-worker/0123456789/code' Condition: StringEquals: 'aws:RequestTag/Status': 'OK'
Full configuration
AWSTemplateFormatVersion: 2010-09-09 Resources: ECSTestTaskDefinition: Type: 'AWS::ECS::TaskDefinition' Properties: TaskRoleArn: !GetAtt ECSTestTaskRole.Arn ExecutionRoleArn: !GetAtt ECSTestExecutionRole.Arn ContainerDefinitions: - Name: Test Image: public.ecr.aws/aws-cli/aws-cli Command: - 's3' - 'cp' - 's3://esolang-worker/0123456789/code' - '-' Essential: true LogConfiguration: LogDriver: awslogs Options: awslogs-group: /ecs/test awslogs-region: ap-northeast-1 awslogs-create-group: 'true' awslogs-stream-prefix: ecs Family: ecs-test Cpu: 256 Memory: 512 NetworkMode: awsvpc RequiresCompatibilities: - FARGATE RuntimePlatform: OperatingSystemFamily: LINUX ECSTestTaskRole: Type: AWS::IAM::Role Properties: RoleName: ecs-test-task-role AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: [ecs-tasks.amazonaws.com] Action: ['sts:AssumeRole'] Policies: - PolicyName: AllowTaskToRetrieveS3File PolicyDocument: Statement: - Effect: Allow Action: - 's3:ListBucket' Resource: - 'arn:aws:s3:::esolang-worker' - Effect: Allow Action: - 's3:GetObject' Resource: - 'arn:aws:s3:::esolang-worker/0123456789/code' Condition: StringEquals: 'aws:RequestTag/Status': 'OK' ECSTestExecutionRole: Type: AWS::IAM::Role Properties: RoleName: ecs-test-execution-role AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: [ecs-tasks.amazonaws.com] Action: ['sts:AssumeRole'] ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy Policies: - PolicyName: AllowTaskToCreateLogStreamAndPutLog PolicyDocument: Statement: - Effect: Allow Action: - 'logs:CreateLogStream' - 'logs:CreateLogGroup' - 'logs:DescribeLogStreams' - 'logs:PutLogEvents' Resource: '*'
By running task from AWS console with the following configurations:
this example outputs the following message.
download failed: s3://esolang-worker/0123456789/code to - An error occurred (403) when calling the HeadObject operation: Forbidden
When I remove Condition from s3:GetObject policy, this example successfully displays file content.
- Newest
- Most votes
- Most comments
Have you tried with that counterpart translation of
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Env",
"CostCenter"
]
}
}
?
Reference: https://repost.aws/knowledge-center/iam-tag-based-restriction-policies
Relevant content
- asked a year ago
- asked 2 years ago
- AWS OFFICIALUpdated 10 months ago
I tried the following configuration, but the result is that the access to S3 is allowed for the tasks with any value of
Statustag.