Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(ecs-patterns): ScheduledFargateTask target role does not enough permission to launch the task

See original GitHub issue

ScheduledFargateTask target role(eventsRole) does not enough permission to launch the task. The target task does not have iam:passRole permission to the taskExecutionRole. The default target role only have permission for iam:passRole on only taskdefinitionRole. I have tried creating multiple scheduledFargate task and all have failed citing permission issue. This should be a bug.

Reproduction Steps

//ReCiter-Machine-Learning-Analysis cron job
        reCiterMachineLearningFargateTask = new ScheduledFargateTask(this, "reCiterMachineLearningFargateTask", ScheduledFargateTaskProps.builder()
            .cluster(reCiterCluster)
            .desiredTaskCount(1)
            .schedule(Schedule.cron(CronOptions.builder()
                .hour("3")
                .minute("00")
                .build()))
            .enabled(true)
            .platformVersion(FargatePlatformVersion.LATEST)
            .ruleName("reCiter-machine-learning-analysis-rule")
            .vpc(vpc)
            .subnetSelection(SubnetSelection.builder()
                .onePerAz(true)
                .subnetType(SubnetType.PRIVATE)
                .build())
            .securityGroups(Arrays.asList(reciterClusterSg))
            .scheduledFargateTaskDefinitionOptions(ScheduledFargateTaskDefinitionOptions.builder()
                .taskDefinition(new FargateTaskDefinition(this, "reCiterMachineLearningAnalysisTaskDef", FargateTaskDefinitionProps.builder()
                    .cpu(1024)
                    .memoryLimitMiB(8192)
                    .build()))
                .build())
            .build());

What did you expect to happen?

The scheduled fargate task will run with cloudwatch events.

What actually happened?

The task run failed citing permission issues. From Cloudtrail logs -

"sourceIPAddress": "events.amazonaws.com",
"userAgent": "events.amazonaws.com",
"errorCode": "AccessDenied",
"errorMessage": "User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/ReCiterCdkMasterStack-reC-reCiterMachineLearningAn-xxxxxxxxxxx/xxxxxxxxxxx is not authorized to perform: iam:PassRole on resource: arn:aws:iam::xxxxxxxxxxxxxxx:role/ReCiterCdkMasterStack-reC-reCiterMachineLearningAn-xxxxxxxxxxxxx",

Environment

  • CDK CLI Version: 1.117.0
  • Module Version: 1.117.0
  • Node.js Version: 16
  • OS: macOS Sierra
  • Language (Version): java8

Other

ScheduledFargateTask target role does not enough permission to launch the task. The target task does not have iam:passRole permission to the taskExecutionRole. The default target role only have permission for iam:passRole on only taskdefinitionRole. The cdk does not expose the eventsRole through software.amazon.awscdk.services.events.Rule to add the policy. For reference on how the scheduledFargateTask is created see here - CDK-Repo

This is 🐛 Bug Report

Issue Analytics

  • State:open
  • Created 2 years ago
  • Comments:7 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
peterwoodworthcommented, Sep 9, 2021

I’ve marked this issue as a p1 and I’m keeping it open so that someone may fix this issue if they want to. Glad you got the workaround figured out!

1reaction
sarbajitduttacommented, Sep 9, 2021

@peterwoodworth Actually I was able to do it. I am attaching as reference -

final Role reCiterMachineLearningEventsModifiedRule = new Role(this, "reCiterMachineLearningEventsModifiedRule", RoleProps.builder()
            .description("This role will be events role for ReCiter-Machine-Learning-Analysis.")
            .roleName("cdk-reciter-machine-learning-events-role")
            .managedPolicies(Arrays.asList(new ManagedPolicy(this, "reCiterMachineLearningEventsPolicy", ManagedPolicyProps.builder()
            .managedPolicyName("cdk-reciter-machine-learning-events-role-policy")
            .description("This policy allows to run ECS task in cluster.")
            .statements(Arrays.asList(new PolicyStatement(PolicyStatementProps.builder()
                .sid("ecsRunTask")
                .actions(Arrays.asList("ecs:RunTask"))
                .effect(Effect.ALLOW)
                .resources(Arrays.asList(reCiterMachineLearningFargateTask.getTaskDefinition().getTaskDefinitionArn()))
                .conditions(new HashMap<String, Object>(){{
                    put("ArnEquals", new HashMap<String, Object>(){{
                        put("ecs:cluster", reCiterCluster.getClusterArn());
                    }});
                }})
                .build()),
            new PolicyStatement(PolicyStatementProps.builder()
                .sid("iamPassRole")
                .actions(Arrays.asList("iam:PassRole"))
                .effect(Effect.ALLOW)
                .resources(Arrays.asList(reCiterMachineLearningFargateTask.getTaskDefinition().obtainExecutionRole().getRoleArn(), reCiterMachineLearningFargateTask.getTaskDefinition().getTaskRole().getRoleArn()))
                .build())))
            .build())))
            .assumedBy(new ServicePrincipal("events.amazonaws.com"))
            .build());
        
CfnRule eventsRule = (CfnRule)reCiterMachineLearningFargateTask.getEventRule().getNode().getDefaultChild();
eventsRule.setRoleArn(reCiterMachineLearningEventsModifiedRule.getRoleArn());
Read more comments on GitHub >

github_iconTop Results From Across the Web

class ScheduledFargateTask (construct) · AWS CDK
A scheduled Fargate task that will be initiated off of CloudWatch Events. Example. declare const cluster: ecs.Cluster; const scheduledFargateTask = new ...
Read more >
@aws-cdk/aws-ecs-patterns - npm package | Snyk
The npm package @aws-cdk/aws-ecs-patterns was scanned for known vulnerabilities and missing license, and no issues were found. Thus the package was deemed as ......
Read more >
ECS Fargate Scheduled Task not running - Stack Overflow
Although it's been over an year, AWS still don't have a proper way to see invocation logs. As you already know we can...
Read more >
awsecspatterns - Go Packages
`npm install` will not create installations like this, but users may ... name of the task IAM role that grants containers in the...
Read more >
ECS with Fargate and Terraform - finleap engineering blog
So the Docker container would be run in a Fargate task as I didn't want ... For anyone who is not patient enough...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

(aws-kendra): Datasource type "WEBCRAWLER" returns model validation error

Next page

(aws-s3-notifications): How to add event notification to existing bucket using existing role?