AWS cli within task/container uses instance role policy and not task role

2
votes

If I use the aws cli from within a container on ECS then it appears that the IAM policy attached to the ECS instance role applies as it should but the task role IAM policy isn't used at all.

Scenario:

aws s3 cp local/file s3://remotebucket

s3 PutObject policy attached to task role, not instance role - access denied

s3 PutObject policy attached to instance role, not task role - success

My understanding of IAM in tasks is that the container inherits the instance role, but also includes the policies from the task role? How can I get the first scenario to work? http://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html

1
amazon-web-servicesamazon-iamamazon-ecs
Running into the same issue. Did you ever find a solution for this? From what I can tell, the AWS CLI needs to assume the role from the EC2 instances. - John Veldboom

1 Answers

4
votes

After banging my head around on this for a day, it turns out the issue is caused by an out of date AWS CLI. http://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html#task-iam-roles-minimum-sdk

In my case I was installing aws-cli with apt-get install aws-cli which installs version 1.4.2. This version does not handle the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable needed to get the correct IAM. So it defaults to getting the instance's IAM.

The solution was to install the AWS CLI through pip or the bundled installation to ensure I had the latest version. The same will apply for the AWS SDKs - required versions are described in the link above.