User is not authorized to perform iam:GetRole on resource role ecsTaskExecutionRole because no identity-based policy allows the iam:GetRole action

Question

I encounter this issue while trying to create a task def on Fargate, my admin said he added the ecsTaskExecutionRole to my user account but the issue is not resolved yet. Is there something I'm doing wrong? my account doesn't have the authorization to see the policies. I pushed the docker image to the ECR using a different account with higher privileges (that was already added to the local system and idk its credentials) and I added custom permission for the repo with 'principal:*' and the following actions.

ecr:BatchCheckLayerAvailability ecr:BatchGetImage ecr:CompleteLayerUpload ecr:GetDownloadUrlForLayer ecr:InitiateLayerUpload ecr:PutImage ecr:UploadLayerPart

ecr:BatchCheckLayerAvailability
ecr:BatchGetImage
ecr:CompleteLayerUpload
ecr:GetDownloadUrlForLayer
ecr:InitiateLayerUpload
ecr:PutImage
ecr:UploadLayerPart

Accepted Answer

The admin should have added the role to your user account via the PassRole permissions. Verify that is what was done. See: Granting a user permissions to pass a role to an AWS service.

For example:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "iam:GetRole",
            "iam:PassRole"
        ],
        "Resource": "arn:aws:iam::account-id:role/EC2-roles-for-XYZ-*"
    }]
}

For example:
```
{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "iam:GetRole",
            "iam:PassRole"
        ],
        "Resource": "arn:aws:iam::account-id:role/EC2-roles-for-XYZ-*"
    }]
}
```

User is not authorized to perform iam:GetRole on resource role ecsTaskExecutionRole because no identity-based policy allows the iam:GetRole action

Relevanter Inhalt