Copying form docker-compose to CDK

[awhillas]

SO i'm trying to replicate this ECS docker-compose example in CDK and having permission issues. I'm copying all the permissions in that example but not sure if i'm assigning them to the right role. Basically, its a task that can launch other tasks. Heres the permissions bit

        task = ecs.FargateTaskDefinition(
            self,
            "DagsterTaskDefinition",
            cpu=1024,
            memory_limit_mib=2048,
        )
...
        daemon_container = task.add_container

        daemon_role = iam.Role(
            self,
            "DagsterDaemontRole",
            assumed_by=iam.ServicePrincipal("ecs-tasks.amazonaws.com"),
        )
...
        daemon_role.add_to_policy(
            iam.PolicyStatement(
                effect=iam.Effect.ALLOW,
                actions=[
                    "ec2:DescribeNetworkInterfaces",
                    "ecs:DescribeTaskDefinition",
                    "ecs:DescribeTasks",
                    "ecs:ListAccountSettings",
                    "ecs:RegisterTaskDefinition",
                    "ecs:RunTask",
                    "ecs:TagResource",
                    "secretsmanager:DescribeSecret",
                    "secretsmanager:ListSecrets",
                    "secretsmanager:GetSecretValue",
                ],
                resources=["*"],
                conditions={
                    "StringLike": {"iam:PassedToService": "ecs-tasks.amazonaws.com"}
                },
            )
        )
        daemon_container.task_role = daemon_role

which all seems ok but this my task's container is getting an error

botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the DescribeTasks operation: User: arn:aws:sts::919292477337:assumed-role/DagsterStack-DagsterTaskDefinitionTaskRole206689E5-14SRACUSBWJS3/54f964688bbf42c5a0d005e92d5202e8 is not authorized to perform: ecs:DescribeTasks on resource: arn:aws:ecs:ap-southeast-1:919292477337:task/dagster-cluster/54f964688bbf42c5a0d005e92d5202e8 because no identity-based policy allows the ecs:DescribeTasks action

The docker compose works when i deploy to ECS so i guess I'm assigning the role to the wrong thing?

[awhillas]

doing a aws iam list-roles I get

        {
            "Path": "/",
            "RoleName": "DagsterStack-DagsterTaskDefinitionTaskRole206689E5-14SRACUSBWJS3",
            "RoleId": "AROA5MCQZ76MWZDFC53N4",
            "Arn": "arn:aws:iam::919292477337:role/DagsterStack-DagsterTaskDefinitionTaskRole206689E5-14SRACUSBWJS3",
            "CreateDate": "2022-08-24T05:32:13+00:00",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "ecs-tasks.amazonaws.com"
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            },
            "Description": "",
            "MaxSessionDuration": 3600
        },

so a role is being created but seems to no get the permissions? Infact no role has the permissions ecs:DescribeTasks?

[awhillas]

I removed the conditions and it seems to work now... sort of

[jostosh]

I think the issue is that there is a separate policy statement that concerns fewer (and different) actions than you're combining with the condition now:

        - Effect: "Allow"
          Action:
            - "iam:PassRole"
          Resource:
            - "*"
          Condition:
            StringLike:
              iam:PassedToService: "ecs-tasks.amazonaws.com"

In other words, I think you might want to add another.

daemon_role.add_to_policy(...)

The condition iam:PassedToService: "ecs-tasks.amazonaws.com" will not be compatible with the actions that you want to apply, which is probably why they will all be 'filtered out' by the condition.

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.