7

I am trying to access ".env" file stored in S3 bucket from Fargate ECS tasks using the Environment Files configuration (S3 ARN) under Container Definition.

But ECS task is failing with Stopped Reason - "ResourceInitializationError: failed to download env files: file download command: non-empty error stream: failed to download file configs-staging-1.env: failed to write to a temporary file: AccessDenied: Access Denied ..."

I have a Task role attached to my Fargate task definition as below:-

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::app-configs"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::app-configs/*"
        }
    ]
}

and also bucket policy is set

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789:role/ecsS3AccessTaskRole"
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::app-configs"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789:role/ecsS3AccessTaskRole"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::app-configs/*"
        }
    ]
}

What permission am I missing here?

michael
  • 4,053
  • 2
  • 12
  • 31
a-k
  • 71
  • 1
  • 2
  • Facing the same error.. :( – Roy Ra Jan 09 '21 at 06:21
  • 1
    for me I had server side encryption enabled on S3 bucket, that's why I was getting Access Denied error. After disabling server side encryption, and with proper Task Role with s3 permissions as below, it was working for me `code` "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Effect": "Allow", "Resource": "arn:aws:s3:::app-configs" }, { `code` I haven't still figured out what permission are required with Server side encryption on at bucket level – a-k Jan 12 '21 at 09:27
  • 1
    I just used `Systems Manager - Parameter Store` to get environment variables :) – Roy Ra Jan 13 '21 at 03:08
  • 9
    For me, I had to enable "auto assign public IP". – Anubhav Ujjawal Mar 12 '21 at 10:06
  • If you are using S3 bucket encryption, you do not need to give up, just need to add also permission policy to read the KMS (Key Management Service) like `{ "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "kms:GetPublicKey", "kms:GetKeyPolicy", "kms:DescribeKey" ], "Resource": "*" }` Eventually modify the Resource accordingly. – Tomas Sep 22 '22 at 11:57

1 Answers1

4

According to AWS documentation(https://docs.aws.amazon.com/AmazonECS/latest/developerguide/taskdef-envfiles.html) You need to attach policies to the ecsTaskExecutionRole IAM. (You don't need to add permission to S3 bucket)

kidkkr
  • 457
  • 3
  • 16