- Newest
- Most votes
- Most comments
In order for your Lambda function to pass the role to RunTask, the function's execution role policy needs to allow both ecs:RunTask
and iam:PassRole
. The policy currently associated with the function does not allow these actions.
Note: The ECS Task Role does not need these permissions. The Task Role only needs those permissions necessary for the functioning of the application itself.
Thanks for the response! I think I might have been unclear. The Lambda function also has this inline policy:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ecs:runTask", "iam:PassRole" ], "Resource": "*", "Effect": "Allow" } ] }
in addition to the AWSLambdaBasicExecutionRole and various other policies.
I should also note that when I try to run this locally, I get:
botocore.errorfactory.ClientException: An error occurred (ClientException) when calling the RunTask operation: ECS was unable to assume the role 'arn:aws:iam::account-ARN:user/my-user' that was provided for this task. Please verify that the role being passed has the proper trust relationship and permissions and that your IAM user has permissions to pass this role.
My user has Administrator Access, so I believe the problem is on the ECS side rather than on the Lambda side. Let me know if there's any more information I can provide. Thanks!
Hello,
Thank you for clarifying that Lambda execution role has required proper permission to run ECS task and IAM PassRole. The trust relationship policy configuration also looks good, allowing ECS task to assume the role. Here is the general troubleshooting guideline to troubleshoot this issue:
https://aws.amazon.com/premiumsupport/knowledge-center/ecs-unable-to-assume-role/
For further troubleshooting, we will need to look into account specific details. Please reach out to AWS support to investigate the issue.
Relevant content
- asked 3 years ago
- asked a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
Can you supply the policy statements attached to the Lambda execution role?
I'm using the AWS-managed Lambda execution role (if that's what you were asking). "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*"