"Role is not valid" when trying to register a new ECS task definition with cross account assumed roles

0

Okay this is a tricky one, so I'll try and paint as good of a picture as possible.

Given

  • Multiple AWS accounts
  • Using github OIDC to assume a role in account A
  • The github role in account A then assumes a role in account B that allows it to perform actions in that account

This all works well and haven't had any issues except.

When trying to register a new ECS task definition ex: aws ecs register-task-definition --cli-input-json file://task-definition.json

We're receiving the following from the action Role is not valid

I can perform this action without a hitch from my administrator account using the same task-definition, so I believe the task-definition is correct.

What I've tried

  • provided the assumed role in account B with the following trusted entities
     {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "ecs.amazonaws.com",
                    "codedeploy.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
  • I've given the role in account B full access to all ECS resources
  • I've given the role in account B full admin access - (just to test) None of this worked

Github OIDC role - Account A (111111111111)

// Trust relationships - standard github oidc
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GithubOidcAuth",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::264460841970:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": [
                "sts:TagSession",
                "sts:AssumeRoleWithWebIdentity"
            ],
            "Condition": {
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:OUR_REPO/*:*"
                },
                "ForAllValues:StringEquals": {
                    "token.actions.githubusercontent.com:iss": "http://token.actions.githubusercontent.com",
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}
// permissions
{
    "Statement": [
        {
            "Action": [
                "sts:TagSession",
                "sts:AssumeRole"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::22222222:role/github-deployer-assumed-XXXXX",
            ]
        }
    ],
    "Version": "2012-10-17"
}

Assumed role is designated account - Account B (2222222222)

// Trust relationships 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:role/github-oidc-deployer-XXXXX"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
// Permissions
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"RegisterTaskDefinition",
         "Effect":"Allow",
         "Action":[
            "ecs:RegisterTaskDefinition",
            "ecs:UpdateService",
            "ecs:DescribeServices"
         ],
         "Resource":"*"
      },
      {
         "Sid":"PassRolesInTaskDefinition",
         "Effect":"Allow",
         "Action":[
            "iam:PassRole"
         ],
         "Resource": "*"
      }
   ]
}

PS We are not using CodeDeploy

BarendB
已提问 10 个月前937 查看次数
1 回答
0

Please can you provide the GitHub action that’s registering the task. My hunch is that your not assuming the role in account b.

The first statement you added to the trust for the assumed role doesn’t need to be applied to the role that github is assuming.

profile picture
专家
已回答 10 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容