iam:PassRole action missing when running CDK task from aws cli

[franck102]

Hi all,

I have used cdk to create a FargateTaskDefinition, not attached to any service, that I want to run on-demand. I can successfully run the task from the AWS Console, however the same fails when calling "aws ecs run-task" from the aws cli with this error:

An error occurred (AccessDeniedException) when calling the RunTask operation: 
User: arn:aws:sts::<account id>:assumed-role/AWSReservedSSO_PowerUserAccess_xxx/franck102 
is not authorized to perform: iam:PassRole on resource: <arn of my task>
 because no identity-based policy allows the iam:PassRole action

I have read about the PassRole action however I am lost in the maze of users/roles/policies/permissions...
I am logged in through aws sso as franck102, and that user has the AWS managed PowerUser policy attached through a permission set... and I have no idea where to go from there?

Any pointer in the right direction would be appreciated :)

[franck102]

I am able to run the task if I add the AmazonECS_FullAccess policy to the PowerUserAccess permission set... however, is that the right thing to do?

Adding the AmazonECSTaskExecutionRolePolicy did not help, I received the same error.

[peterwoodworth]

The PowerUserAccess policy is a managed policy by amazon - it comes with permissions for everything except actions related to iam, accounts, and organizations. So since you need iam::PassRole, this is not allowed with the PowerUserAccess permission set.

You need an additional policy which will allow for iam::PassRole on your task arn. AmazonECS_FullAccess will grant this, and AmazonECSTaskExecutionRolePolicy will not.

[franck102]

Got it, thanks!

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.