ECS Fargate task unable to access s3 in another account

1
votes

I have a scheduled ECS Fargate task running in my "AccountA". The task needs to access a s3 bucket located in another aws account "AccountB".

The ECS task in the AccountA assumes a role "AccountA_ECSTaskRole". I have created a role "AccountB_S3AccessBucketRole" in the AccountB to allow the IAM role "AccountA_ECSTaskRole" to access the S3 bucket in AccountB.

The AccountB_S3AccessBucketRole policy is as follow :

{
"Version": "2012-10-17",
"Statement": [
    {
            "Action": [
                    "s3:ListBucket",
                    "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME"
    },
    {
            "Effect": "Allow",
            "Action": [
                    "s3:GetObject",
                    "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME/*"
    }
  ]
}

And the assume role policy:

{
"Version": "2012-10-17",
"Statement": [
  {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Principal": {
      "AWS": "AccountA_ECSTaskRole_ARN"
    }
  }  
]
}

My task is a docker container running aws s3 cp myfiletocopy s3://ACCOUNTB_BUCKET_NAME/. I specified the taskRoleArn in the task definition as AccountA_ECSTaskRole_ARN. The AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable seems to correctly be set by the ECS agent in my container since I can echo it. Still I'm getting: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

3
amazon-web-servicesamazon-s3amazon-iamamazon-ecs
Just creating a role in AccountB that can be assumed by AccountA doesn't mean Fargate knows to automatically use that role somehow. You need to add some sort of code or process in the ECS task to assume AccountB_S3AccessBucketRoleMark B
Thanks ! I'm pretty sure AccountB_S3AccessBucketRole is actually useless and I just need to set directly a bucket policy instead.alx.lzt

3 Answers

1
votes

From this steps, I see you are missing the "Resource" property for the sts:AssumeRole action.

1
votes

Above steps works fine but I had to make few more changes to make it work.

Verify if S3 bucket is enabled to perform encryption if yes ensure to provide permissions to access KMS (CMK) operations.

Example: In the account (where S3 bucket is created): add permissions on the S3 bucket's CMK key with following permissions.

{
"Sid": "Allow an external account to use the CMK",
"Effect": "Allow",
"Principal": {
    "AWS": [
        "arn:aws:iam::111211111111:role/ecs-task-execution-role", ((if use role))
        "arn:aws:iam::111211111111:user/User". ((if use user))
    ]
},
"Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:ReEncrypt*",
    "kms:GenerateDataKey*",
    "kms:DescribeKey"
],
"Resource": "*"

}

In the account where ECS is deployed (account where service deployed requiring access to S3).

add permissions in the role:

{ "Sid": "AllowUseOfCMKInS3Account22123222222", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "arn:aws:kms:us-east-1:22123222222:key/1234abcd-12ab-34cd-12ef-1234567890de" }

0
votes

I made it work by setting a bucket policy for ACCOUNTB_BUCKET_NAME and not a role, as follow:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation"
        ],
        "Principal": {
            "AWS": "AccountA_ECSTaskRole_ARN"
         },
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME"
    },
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "AccountA_ECSTaskRole_ARN"
        },
        "Action": [
            "s3:GetObject",
            "s3:PutObject"
        ],
        "Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME/*"
    }
]
}

And setting the AccountA_ECSTaskRole to access the ACCOUNTB_BUCKET_NAME:

{
  "Version": "2012-10-17",
  "Statement": [
        {
            "Action": [
                    "s3:ListBucket",
                    "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME"
        },
        {
            "Effect": "Allow",
            "Action": [
                    "s3:GetObject",
                    "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME/*"
        }
  ]
}