"Role is not valid" when trying to register a new ECS task definition with cross account assumed roles

0

Okay this is a tricky one, so I'll try and paint as good of a picture as possible.

Given

  • Multiple AWS accounts
  • Using github OIDC to assume a role in account A
  • The github role in account A then assumes a role in account B that allows it to perform actions in that account

This all works well and haven't had any issues except.

When trying to register a new ECS task definition ex: aws ecs register-task-definition --cli-input-json file://task-definition.json

We're receiving the following from the action Role is not valid

I can perform this action without a hitch from my administrator account using the same task-definition, so I believe the task-definition is correct.

What I've tried

  • provided the assumed role in account B with the following trusted entities
     {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "ecs.amazonaws.com",
                    "codedeploy.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
  • I've given the role in account B full access to all ECS resources
  • I've given the role in account B full admin access - (just to test) None of this worked

Github OIDC role - Account A (111111111111)

// Trust relationships - standard github oidc
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GithubOidcAuth",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::264460841970:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": [
                "sts:TagSession",
                "sts:AssumeRoleWithWebIdentity"
            ],
            "Condition": {
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:OUR_REPO/*:*"
                },
                "ForAllValues:StringEquals": {
                    "token.actions.githubusercontent.com:iss": "http://token.actions.githubusercontent.com",
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}
// permissions
{
    "Statement": [
        {
            "Action": [
                "sts:TagSession",
                "sts:AssumeRole"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::22222222:role/github-deployer-assumed-XXXXX",
            ]
        }
    ],
    "Version": "2012-10-17"
}

Assumed role is designated account - Account B (2222222222)

// Trust relationships 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:role/github-oidc-deployer-XXXXX"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
// Permissions
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"RegisterTaskDefinition",
         "Effect":"Allow",
         "Action":[
            "ecs:RegisterTaskDefinition",
            "ecs:UpdateService",
            "ecs:DescribeServices"
         ],
         "Resource":"*"
      },
      {
         "Sid":"PassRolesInTaskDefinition",
         "Effect":"Allow",
         "Action":[
            "iam:PassRole"
         ],
         "Resource": "*"
      }
   ]
}

PS We are not using CodeDeploy

BarendB
已提問 10 個月前檢視次數 944 次
1 個回答
0

Please can you provide the GitHub action that’s registering the task. My hunch is that your not assuming the role in account b.

The first statement you added to the trust for the assumed role doesn’t need to be applied to the role that github is assuming.

profile picture
專家
已回答 10 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南