By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Stepfunction runs into IAMPassRole error on ECS Runtask

0

I am trying to make a step function that will start an ECS Fargate container with environment variables from the input. Whenever I try and run the function I get what seems to be an IAMs error, but I made a new IAMs account with the function. So it should have all of the needed permissions, and the account that I am using has nearly full permissions, so I don't know how it could be an IAMs issue.

{
  "Comment": "A description of my state machine",
  "StartAt": "ECS RunTask",
  "States": {
    "ECS RunTask": {
      "Type": "Task",
      "Resource": "arn:aws:states:::ecs:runTask.sync",
      "Parameters": {
        "LaunchType": "FARGATE",
        "TaskDefinition": "arn:aws:ecs:us-east-1:---:task-definition/---",
        "Overrides": {
          "ContainerOverrides": [
            {
              "Name": "pls work",
              "Environment": [
                {
                  "Name": "INPUT",
                  "Value.$": "$.INPUT"
                }
              ]
            }
          ]
        }
      },
      "Next": "Success"
    },
    "Success": {
      "Type": "Succeed"
    }
  }
}

Here is the error that I am running into:

User: arn:aws:sts::---:assumed-role/StepFunctions-MyStateMachine---/--- is not authorized to perform: iam:PassRole on resource: arn:aws:iam::---:role/ecsTaskExecutionRole because no identity-based policy allows the iam:PassRole action (Service: AmazonECS; Status Code: 400; Error Code: AccessDeniedException; Request ID: ---; Proxy: null)
1 Answer
1
Accepted Answer

AWS Step Functions can execute code and access AWS resources but in order to do so you must grant Step Functions access to those resources by using an IAM role. And because Step Functions will call another AWS service like ECS for you, you will need to allow Step Function to pass that role onto the other service. You can find more information on iam:PassRole here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html

profile pictureAWS
EXPERT
answered 2 years ago
profile picture
EXPERT
reviewed 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions