AWS Fargate task error - ResourceInitializationError: failed to download env files: failed to write to temporary file: AccessDenied

4
votes

I am trying to access ".env" file stored in S3 bucket from Fargate ECS tasks using the Environment Files configuration (S3 ARN) under Container Definition.

But ECS task is failing with Stopped Reason - "ResourceInitializationError: failed to download env files: file download command: non-empty error stream: failed to download file configs-staging-1.env: failed to write to a temporary file: AccessDenied: Access Denied ..."

I have a Task role attached to my Fargate task definition as below:-

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::app-configs"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::app-configs/*"
        }
    ]
}

and also bucket policy is set

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789:role/ecsS3AccessTaskRole"
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::app-configs"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789:role/ecsS3AccessTaskRole"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::app-configs/*"
        }
    ]
}

What permission am I missing here?

1
amazon-web-servicesaws-fargate
Facing the same error.. :(R.R
for me I had server side encryption enabled on S3 bucket, that's why I was getting Access Denied error. After disabling server side encryption, and with proper Task Role with s3 permissions as below, it was working for me code "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": "arn:aws:s3:::app-configs" }, { code I haven't still figured out what permission are required with Server side encryption on at bucket levela-k
I just used Systems Manager - Parameter Store to get environment variables :)R.R
For me, I had to enable "auto assign public IP".Anubhav Ujjawal

1 Answers

2
votes

According to AWS documentation(https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html) You need to attach policies to the ecsTaskExecutionRole IAM. (You don't need to add permission to S3 bucket)