0
votes

I am trying for "IAM permissions for Fargate tasks pulling Amazon ECR images". For that I have used following task execution role policy but getting error called

Error creating IAM Role. MalformedPolicyDocument: Has prohibited field Resource

   {
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "ecr:GetAuthorizationToken",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "ecr:BatchCheckLayerAvailability",
            "ecr:GetDownloadUrlForLayer",
            "ecr:BatchGetImage"
        ],
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "aws:sourceVpce": "vpce-xxxxxx",
                "aws:sourceVpc": "vpc-xxxxx"
               }
            }
          }
     ]
    }

Can someone help me with this issue?

1
Can you provide complete TF code? The policy looks file.Marcin
are you setting this policy inside the assume role section. Similar question: stackoverflow.com/questions/44565879/…Arun Kamalanathan

1 Answers

0
votes

I assume you're following this guide?

This is an error that comes up when you try to put an access policy (what a role/user is allowed to do) in a trust policy (who/what is allowed to assume a role).

Essentially, you're trying to put your policy in the wrong spot. The IAM role should specify ECS as the trusted service, and in an attached policy it should have the policy you included in your question.