CodePipelines Deploy to ECS

Did you ever find a solution? I'm getting the same error message.

What's weird is that I have another pipeline that deploys to ECS without issue. The permissions for the twpipeline's role are essentially identical. So seems like it's a bug on AWS's end..

Unfortunately, no. I'm on eu-west-2 region. I also have a feeling it might be a bug. for some reason, it deployed fine a couple of random times. but generally fails with the ECS role message.

For some reason pipelines started deploying on their own this morning. AWS must have updated something.

I was out of the office last week - sorry for the delayed response.

AmmarRahman wrote:
For some reason pipelines started deploying on their own this morning. AWS must have updated something.

Glad to hear it's sorted for you! Unfortunately I'm still getting this error message in at least one of my pipelines. Would love it if someone from AWS would chime in on this thread as I can't imagine we're the only two customers facing this issue.

I've been trying to debug this for about a week now. I have a cross-account CodePipeline, so I need to specify the roles for each 'action' in CloudFormation (also possible through the CLI). My ECS service also happens to use an EC2 auto-scaling group and a network load balancer.

I read through the overly-permissive auto-generated role that the console generated, and discovered it was iam:PassRole that I was missing. It looks like the most relevant policy that includes it is /AmazonEC2ContainerServiceFullAccess, but I think it's kind of overkill. I just included it as an inline policy.

Here's the CloudFormation YAML for a cross-account ECS deployment role. It also includes KMS permission for cross-account access and S3 permissions for artifact access. To the best of my knowledge, there are no cross-account CodePipeline ECS examples out there, so I'm including the entire role:

edit You know what, screw it. I think it also requires (Start|Stop|Run)Task, (Describe|Register|Deregister)TaskDefinition, ListTaskDefinitions, maybe more. Might as well use ecs:*, so I'm replacing AmazonEC2ContainerServiceRole with AmazonEC2ContainerServiceFullAccess (keeping ...forEC2Role for its ECR permissions).

TheRole:
  Type: AWS::IAM::Role
  Properties:
    # You'll need a consistent name for cross-account deployments
    RoleName: !Ref EcsDeployRoleName
    AssumeRolePolicyDocument:
      Version: 2012-10-17
      Statement:
        - Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AccountIdDevo}:root # cross-account
            Service: codepipeline.amazonaws.com # same account
          Action: sts:AssumeRole
   ManagedPolicyArns:
     - arn:aws:iam::aws:policy/AmazonEC2ContainerServiceFullAccess
     - arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
   Policies:
     - PolicyName: PassRole
       PolicyDocument:
         Version: 2012-10-17
         Statement:
           - Effect: Allow
             Action: iam:PassRole
             Resource: '*'
     - PolicyName: ArtifactPolicy
       PolicyDocument:
         Version: 2012-10-17
         Statement:
           - Effect: Allow
             Action:
               - s3:GetObject
               - s3:GetObjectVersion
             Resource: !Sub arn:aws:s3:::${ArtifactBucket}/* # fix parsing :) */
           - Effect: Allow
             Action: s3:ListBucket
             Resource: !Sub arn:aws:s3:::${ArtifactBucket}
     - PolicyName: KmsPolicy
       PolicyDocument:
         Version: 2012-10-17
         Statement:
           - Effect: Allow
             Action:
               - kms:Decrypt
               - kms:DescribeKey
               - kms:Encrypt
               - kms:GenerateDataKey
               - kms:ReEncrypt
             Resource: !Sub arn:aws:kms:${RegionDevo}:${AccountIdDevo}:key/* # fix parsing :) */

These CodePipeline error messages are the worst. Why can't they say what they mean?

Edited by: markuspeloquin on Feb 5, 2018 11:03 AM
(Added a little context to the first paragraph.)

Edited by: markuspeloquin on Feb 5, 2018 12:10 PM
(Replace AmazonEC2ContainerServiceRole with AmazonEC2ContainerServiceFullAccess)

markuspeloquin wrote:
... discovered it was iam:PassRole that I was missing.
Thank you, ! The iam:PassRole was definitely the missing piece. I added it to my pipeline's role and boom, no more error message and my pipelines are working as expected. Right now I have added

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*"
        }
    ]
}

but will probably try to narrow down the resource from "*" to whatever role the pipeline is trying to pass.

Thanks again for the great tip. AWS really needs to update their docs and/or the mystifying error message.