Most restrictive Document Policy for an S3 Gateway Endpoint to pull docker image in ECR from ECS
I am deploying an ECS Fargate cluster with a service in private subnets. To enable tasks to pull the Docker image from ECR, I have created three Endpoints (dkr, ecr API, and S3) in my VPC.
Focusing on the S3 endpoint, I would like to associate the most restrictive policy possible so that only tasks can use this endpoint and only access the specific S3 bucket where ECR stores the images.
In the official AWS documentation, they propose the following policy:
{ "Statement": [ { "Sid": "Access-to-specific-bucket-only", "Principal": "*", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": ["arn:aws:s3:::prod-region-starport-layer-bucket/*"] } ] }
This policy is okay, but it only restricts access to the bucket through the endpoint. I would like a policy that specifically allows only ECS to access it and not other resources that may be in the same private subnets with access to the endpoint. I have tried this policy:
{ "Statement": [ { "Sid": "Access-to-specific-bucket-only-from-ecs-task", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": ["arn:aws:s3:::prod-region-starport-layer-bucket/*"] } ] }
But it doesn't work, task can't pull the image and I don't know why.
Can you help me out?
- 최신
- 최다 투표
- 가장 많은 댓글
Usually you associate an IAM role to the service, have you tried that as the principal?
have you tried using a condition as follows? replacing Role name with the ECS Task Role?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow-access-to-specific-IAM-role",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": ["arn:aws:s3:::prod-region-starport-layer-bucket/*"],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": "arn:aws:iam::111122223333:role/role_name"
}
}
}
]
}
I just tried to modify it as you suggested, and it doesn't work, neither by setting the ExecutionRoleArn of the service nor with the TaskRoleArn of the task.
Yes I've done it, I've tried both putting the role with which the ECS service runs, and I've also tried with the role with which the tasks run. Neither of these two things as the principal works; the tasks are not able to pull the image.
added new answer after reading the S3 gateway docs.. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html