2

I have an an audit container that runs a scan against various AWS APIs. I want to have all of these run as ECS tasks in the prod account, but scan resources in other accounts. Is it possible to set a role from another account as the task role? I've attempted setting taskRoleArn in my task definition to the ARN of the desired role from another account, but I get the error message "Role is not Valid"

I have a simple trust relationship on the role from on the other account (111111111111 is the prod account):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

I have a Cloudwatch Events service role in the prod account that allows iam:passRole to this role on the other account. Is there any modification needed to the ECS task execution role? I was under the impression this was only going to forward logs to Cloudwatch Logs and pull the OCI image from ECR, and shouldn't need any other permissions.

Is this possible or do I just have to assign a task role with sts:assumeRole permissions into the other account and have a shim in the Container image that assumes the role before running the audit?

TopherIsSwell
  • 420
  • 6
  • 17

1 Answers1

1

Is there any modification needed to the ECS task execution role?

Add a policy to your ECS task execution role to assume roles.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "<cross-account role arn here>"
        }
    ]
}

And assume it programmatically: https://stackoverflow.com/a/64345823/12170218

Fer Trovati
  • 1,141
  • 1
  • 4
  • 4