I have a scheduled ECS Fargate task running in my "AccountA". The task needs to access a s3 bucket located in another aws account "AccountB".
The ECS task in the AccountA assumes a role "AccountA_ECSTaskRole". I have created a role "AccountB_S3AccessBucketRole" in the AccountB to allow the IAM role "AccountA_ECSTaskRole" to access the S3 bucket in AccountB.
The AccountB_S3AccessBucketRole policy is as follow :
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME/*"
}
]
}
And the assume role policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "AccountA_ECSTaskRole_ARN"
}
}
]
}
My task is a docker container running aws s3 cp myfiletocopy s3://ACCOUNTB_BUCKET_NAME/
.
I specified the taskRoleArn in the task definition as AccountA_ECSTaskRole_ARN. The AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable seems to correctly be set by the ECS agent in my container since I can echo it.
Still I'm getting: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
AccountB_S3AccessBucketRole
– Mark B