By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Stepfunction runs into IAMPassRole error on ECS Runtask

0

I am trying to make a step function that will start an ECS Fargate container with environment variables from the input. Whenever I try and run the function I get what seems to be an IAMs error, but I made a new IAMs account with the function. So it should have all of the needed permissions, and the account that I am using has nearly full permissions, so I don't know how it could be an IAMs issue.

{
  "Comment": "A description of my state machine",
  "StartAt": "ECS RunTask",
  "States": {
    "ECS RunTask": {
      "Type": "Task",
      "Resource": "arn:aws:states:::ecs:runTask.sync",
      "Parameters": {
        "LaunchType": "FARGATE",
        "TaskDefinition": "arn:aws:ecs:us-east-1:---:task-definition/---",
        "Overrides": {
          "ContainerOverrides": [
            {
              "Name": "pls work",
              "Environment": [
                {
                  "Name": "INPUT",
                  "Value.$": "$.INPUT"
                }
              ]
            }
          ]
        }
      },
      "Next": "Success"
    },
    "Success": {
      "Type": "Succeed"
    }
  }
}

Here is the error that I am running into:

User: arn:aws:sts::---:assumed-role/StepFunctions-MyStateMachine---/--- is not authorized to perform: iam:PassRole on resource: arn:aws:iam::---:role/ecsTaskExecutionRole because no identity-based policy allows the iam:PassRole action (Service: AmazonECS; Status Code: 400; Error Code: AccessDeniedException; Request ID: ---; Proxy: null)
Topics
ServerlessApplication IntegrationSecurity, Identity, & ComplianceContainers
Tags
AWS Step FunctionsAWS Identity and Access ManagementAWS Fargate
Language
English
Jibbr
asked a year ago202 views
1 Answer
0
Accepted Answer

AWS Step Functions can execute code and access AWS resources but in order to do so you must grant Step Functions access to those resources by using an IAM role. And because Step Functions will call another AWS service like ECS for you, you will need to allow Step Function to pass that role onto the other service. You can find more information on iam:PassRole here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html

profile pictureAWS
EXPERT
ben-from-aws
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content