1

I'm trying to create some infrastructure for a service I am building on AWS using AWS Fargate. I'm using SSM as a value store for some of my application configuration, so I need both the regular permissions for Fargate as well as additional permissions for SSM. However, after banging my head against this particular wall for a while, I've come to the conclusion that I just don't understand AWS IAM in general or this problem in particular, so I'm here for help.

The basis of my IAM code comes from this tutorial; the IAM code is actually not in that tutorial but rather in this file in the github repo linked to that tutorial. I presume I need to retain that STS permission for something although I'm not entirely sure what.

I've converted the IAM code from the tutorial into a JSON document because I find JSON easier to work with than the Terraform native thing. Here's what I've come up with. It doesn't work. I would like to know why it doesn't work and how to fix it. Please ELI5 (explain like I'm 5 years old) because I know nothing about this.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:GetParameters",
        "secretsmanager:GetSecretValue",
        "kms:Decrypt",
        "sts:AssumeRole"
      ],
      "Principal": {
        "Service": ["ecs-tasks.amazonaws.com"]
      }
    }
  ]
}
Ertai87
  • 1,156
  • 1
  • 15
  • 26

1 Answers1

2

At a minimum, your ECS task should have below permissions:

  1. Ability to assume a role
  2. Resource level permissions

In the example, you have referred, An IAM Role is created with the following:

  • A trust relationship is attached. <-- To enable ECS task to assume an IAM role

  • AWS managed policy AmazonECSTaskExecutionRolePolicy is attached. <-- Resource permissions

So, in order to retrieve the SSM parameter values, add below resource permissions.

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "ssm:Describe*",
            "ssm:Get*",
            "ssm:List*"
        ],
        "Resource": [
            "arn:aws:ssm:*:*:parameter/{your-path-hierarchy-to-parameter}/*"
        ]
    }
  ]
}

If your Secrets uses KMS, then grant necessary kms permissions (kms:Decrypt). Refer specifying-sensitive-data for reference.

Haran
  • 1,040
  • 2
  • 13
  • 26
  • The trick to this was that I had to add those permissions as a Task Role, not as a Task Execution Role. – Ertai87 Jan 02 '20 at 15:20