By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CodePipelines Deploy to ECS

1

Hi,

I have created a pipline to build and deploy to ECS. However, the pipeline fails at the Staging part with a message

"Insufficient permissions
The provided role does not have sufficient permissions to access ECS"
I have tried adding full administrative access to AWS-CodePipeline-Service but its still failing with the same message.
What am I missing?

Topics
Containers
Tags
Amazon Elastic Container Service
Language
English
AmmarRahman
asked 6 years ago1660 views
6 Answers
0

Did you ever find a solution? I'm getting the same error message.

What's weird is that I have another pipeline that deploys to ECS without issue. The permissions for the twpipeline's role are essentially identical. So seems like it's a bug on AWS's end..

butters
answered 6 years ago
0

Unfortunately, no. I'm on eu-west-2 region. I also have a feeling it might be a bug. for some reason, it deployed fine a couple of random times. but generally fails with the ECS role message.

AmmarRahman
answered 6 years ago
0

For some reason pipelines started deploying on their own this morning. AWS must have updated something.

AmmarRahman
answered 6 years ago
0

I was out of the office last week - sorry for the delayed response.

AmmarRahman wrote:
For some reason pipelines started deploying on their own this morning. AWS must have updated something.

Glad to hear it's sorted for you! Unfortunately I'm still getting this error message in at least one of my pipelines. Would love it if someone from AWS would chime in on this thread as I can't imagine we're the only two customers facing this issue.

butters
answered 6 years ago
0

I've been trying to debug this for about a week now. I have a cross-account CodePipeline, so I need to specify the roles for each 'action' in CloudFormation (also possible through the CLI). My ECS service also happens to use an EC2 auto-scaling group and a network load balancer.

I read through the overly-permissive auto-generated role that the console generated, and discovered it was iam:PassRole that I was missing. It looks like the most relevant policy that includes it is /AmazonEC2ContainerServiceFullAccess, but I think it's kind of overkill. I just included it as an inline policy.

Here's the CloudFormation YAML for a cross-account ECS deployment role. It also includes KMS permission for cross-account access and S3 permissions for artifact access. To the best of my knowledge, there are no cross-account CodePipeline ECS examples out there, so I'm including the entire role:

edit You know what, screw it. I think it also requires (Start|Stop|Run)Task, (Describe|Register|Deregister)TaskDefinition, ListTaskDefinitions, maybe more. Might as well use ecs:*, so I'm replacing AmazonEC2ContainerServiceRole with AmazonEC2ContainerServiceFullAccess (keeping ...forEC2Role for its ECR permissions).

TheRole:
  Type: AWS::IAM::Role
  Properties:
    # You'll need a consistent name for cross-account deployments
    RoleName: !Ref EcsDeployRoleName
    AssumeRolePolicyDocument:
      Version: 2012-10-17
      Statement:
        - Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AccountIdDevo}:root # cross-account
            Service: codepipeline.amazonaws.com # same account
          Action: sts:AssumeRole
   ManagedPolicyArns:
     - arn:aws:iam::aws:policy/AmazonEC2ContainerServiceFullAccess
     - arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
   Policies:
     - PolicyName: PassRole
       PolicyDocument:
         Version: 2012-10-17
         Statement:
           - Effect: Allow
             Action: iam:PassRole
             Resource: '*'
     - PolicyName: ArtifactPolicy
       PolicyDocument:
         Version: 2012-10-17
         Statement:
           - Effect: Allow
             Action:
               - s3:GetObject
               - s3:GetObjectVersion
             Resource: !Sub arn:aws:s3:::${ArtifactBucket}/* # fix parsing :) */
           - Effect: Allow
             Action: s3:ListBucket
             Resource: !Sub arn:aws:s3:::${ArtifactBucket}
     - PolicyName: KmsPolicy
       PolicyDocument:
         Version: 2012-10-17
         Statement:
           - Effect: Allow
             Action:
               - kms:Decrypt
               - kms:DescribeKey
               - kms:Encrypt
               - kms:GenerateDataKey
               - kms:ReEncrypt
             Resource: !Sub arn:aws:kms:${RegionDevo}:${AccountIdDevo}:key/* # fix parsing :) */

These CodePipeline error messages are the worst. Why can't they say what they mean?

Edited by: markuspeloquin on Feb 5, 2018 11:03 AM
(Added a little context to the first paragraph.)

Edited by: markuspeloquin on Feb 5, 2018 12:10 PM
(Replace AmazonEC2ContainerServiceRole with AmazonEC2ContainerServiceFullAccess)

markuspeloquin
answered 6 years ago
0

markuspeloquin wrote:
... discovered it was iam:PassRole that I was missing.
Thank you, ! The iam:PassRole was definitely the missing piece. I added it to my pipeline's role and boom, no more error message and my pipelines are working as expected. Right now I have added

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*"
        }
    ]
}

but will probably try to narrow down the resource from "*" to whatever role the pipeline is trying to pass.

Thanks again for the great tip. AWS really needs to update their docs and/or the mystifying error message.

butters
answered 6 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content