botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the RunTask operation

Question

The Lambda function subject to this case should execute an ecs:RunTask but fails with the following error:

botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the RunTask operation: User: arn:aws:sts:: Account no :assumed-role/ interface-prod-eu-west-1-lambdaRole/interface-prod-invoke-kpi-job is not authorized to perform: iam:PassRole on resource: arn:aws:iam:: Account no :role/FargateRole .

We use boto3 to run the Fargate task inside the lambda code.

=========================

Managed policy attached to "FargateRole"

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:RunTask"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringLike": {
          "iam:PassedToService": "ecs-tasks.amazonaws.com"
        }
      }
    }
  ]
}

Lambda role - " interface-prod-eu-west-1-lambdaRole"

{
      "Action": [
        "ecs:RunTask"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "iam:GetRole",
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::Account no:role/FargateRole",
      "Effect": "Allow"
    }

Can anyone help figure out additional permission required or what needs to be changed ?

If you remove the conditions, does it work? – Marcin Jul 17 '21 at 07:38 — Marcin, Jul 17 '21 at 07:38
Let me check and get back to you. – Harsh Sheth Jul 17 '21 at 07:42 — Harsh Sheth, Jul 17 '21 at 07:42

botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the RunTask operation

0 Answers0