Lambda policy not authorized to call RunTask - policy issue?

0

Hi all, I've been tearing my hair out about this, and I have a feeling the answer will be simple, but beyond me at the moment.

I have an S3 bucket notification that triggers a Lambda function to run a Fargate task to process the uploaded file. The Lambda function can download the file fine, but when invoking 'RunTask' via the AWS Node SDK, I get:

"UnauthorizedOperation: You are not authorized to perform this operation."

When I run the Lambda function locally with a user with Administrator permissions, all works fine, so it must be the Lambda's policy, which I've copied below (redacted values shown):

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"ecs:RunTask"
],
"Resource": [
"arn:aws:s3:::<redacted>/",
"arn:aws:s3:::<redacted>",
"arn:aws:ecs:us-east-1:<account_id>:task-definition/<task_def_family_name>:
"
]
}
]
}

I have also tried with no ':' wildcard for the task definition ARN, as well as 'ecs:' broad-stroke permissions and no dice.

Am I missing any additonal permissions required for 'RunTask'? Perhaps some read permissions?

Thanks in advance.

asked 3 years ago564 views
1 Answer
0

There I go... Missing an ec2:DescribeSubnets in my Lambda role...

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions