2 Respostas
- Mais recentes
- Mais votos
- Mais comentários
0
Usually you associate an IAM role to the service, have you tried that as the principal?
0
have you tried using a condition as follows? replacing Role name with the ECS Task Role?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow-access-to-specific-IAM-role",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": ["arn:aws:s3:::prod-region-starport-layer-bucket/*"],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": "arn:aws:iam::111122223333:role/role_name"
}
}
}
]
}
I just tried to modify it as you suggested, and it doesn't work, neither by setting the ExecutionRoleArn of the service nor with the TaskRoleArn of the task.
Conteúdo relevante
- AWS OFICIALAtualizada há 2 anos
- AWS OFICIALAtualizada há 10 meses
Yes I've done it, I've tried both putting the role with which the ECS service runs, and I've also tried with the role with which the tasks run. Neither of these two things as the principal works; the tasks are not able to pull the image.
added new answer after reading the S3 gateway docs.. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html