1

I am trying to deploy a ECR image to ECS Fargate. In the Dockerfile I run an AWS cli command to download a file from S3.

However, I require the relevant permissions to access the S3 from ECS. There is a task role (under ECS task definition) screenshot below, that I presume I can grant ECS the rights to access S3. However, the dropdown only provided me with the default ecsTaskExecutionRole, and not a custom role I created myself.

enter image description here

Is this a bug? Or am I required to add the role elsewhere?

[NOTE] I do not want to include the AWS keys as an env variable to Docker due to security reasons.

[UPDATES]

Added a new ECS role with permissions boundary with S3. Task role still did not show up.

enter image description here

enter image description here

Jake
  • 2,482
  • 7
  • 27
  • 51
  • See the [Creating the task execution IAM role](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html#create-task-execution-role) documentation. You probably forgot to add the ECS assume role trust policy, so it isn't showing up in that dropdown. The dropdown is only showing valid roles that can be assigned to ECS tasks. – Mark B Mar 09 '22 at 15:56

1 Answers1

1

Did you grant ECS the right to assume your custom role? As per documentation:

https://docs.aws.amazon.com/AmazonECS/latest/userguide/task-iam-roles.html#create_task_iam_policy_and_role

The a trust relationship needs to established, so that ECS service can assume the role on your behalf.

lqc
  • 7,434
  • 1
  • 25
  • 25
  • hmm, i just created a new ecs role and checked it has the trust relationship, but that role still did not show up in my ECS task role dropdown. Attached screenshots. – Jake Mar 11 '22 at 14:37
  • Just found out that I selected `Elastic Container Service` instead of `Elastic Container Service Task`. This resolves it, thank you. – Jake Mar 14 '22 at 05:03