(ecs-patterns): ScheduledFargateTask target role does not enough permission to launch the task
See original GitHub issueScheduledFargateTask target role(eventsRole) does not enough permission to launch the task. The target task does not have iam:passRole permission to the taskExecutionRole. The default target role only have permission for iam:passRole on only taskdefinitionRole. I have tried creating multiple scheduledFargate task and all have failed citing permission issue. This should be a bug.
Reproduction Steps
//ReCiter-Machine-Learning-Analysis cron job
reCiterMachineLearningFargateTask = new ScheduledFargateTask(this, "reCiterMachineLearningFargateTask", ScheduledFargateTaskProps.builder()
.cluster(reCiterCluster)
.desiredTaskCount(1)
.schedule(Schedule.cron(CronOptions.builder()
.hour("3")
.minute("00")
.build()))
.enabled(true)
.platformVersion(FargatePlatformVersion.LATEST)
.ruleName("reCiter-machine-learning-analysis-rule")
.vpc(vpc)
.subnetSelection(SubnetSelection.builder()
.onePerAz(true)
.subnetType(SubnetType.PRIVATE)
.build())
.securityGroups(Arrays.asList(reciterClusterSg))
.scheduledFargateTaskDefinitionOptions(ScheduledFargateTaskDefinitionOptions.builder()
.taskDefinition(new FargateTaskDefinition(this, "reCiterMachineLearningAnalysisTaskDef", FargateTaskDefinitionProps.builder()
.cpu(1024)
.memoryLimitMiB(8192)
.build()))
.build())
.build());
What did you expect to happen?
The scheduled fargate task will run with cloudwatch events.
What actually happened?
The task run failed citing permission issues. From Cloudtrail logs -
"sourceIPAddress": "events.amazonaws.com",
"userAgent": "events.amazonaws.com",
"errorCode": "AccessDenied",
"errorMessage": "User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/ReCiterCdkMasterStack-reC-reCiterMachineLearningAn-xxxxxxxxxxx/xxxxxxxxxxx is not authorized to perform: iam:PassRole on resource: arn:aws:iam::xxxxxxxxxxxxxxx:role/ReCiterCdkMasterStack-reC-reCiterMachineLearningAn-xxxxxxxxxxxxx",
Environment
- CDK CLI Version: 1.117.0
- Module Version: 1.117.0
- Node.js Version: 16
- OS: macOS Sierra
- Language (Version): java8
Other
ScheduledFargateTask target role does not enough permission to launch the task. The target task does not have iam:passRole permission to the taskExecutionRole. The default target role only have permission for iam:passRole on only taskdefinitionRole. The cdk does not expose the eventsRole through software.amazon.awscdk.services.events.Rule to add the policy. For reference on how the scheduledFargateTask is created see here - CDK-Repo
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 2 years ago
- Comments:7 (2 by maintainers)
Top GitHub Comments
I’ve marked this issue as a p1 and I’m keeping it open so that someone may fix this issue if they want to. Glad you got the workaround figured out!
@peterwoodworth Actually I was able to do it. I am attaching as reference -