How can I configure ECS task role to limit access from ECS Fargate Task to AWS resources by Task Tag?

0

I'm creating ECS task definition and executing task by RunTask operation.

I want to allow ECS task to retrieve S3 file s3://esolang-worker/0123456789/code. This can be configured by ECS task role and IAM Policy attached to it.

How can I allow access to S3 file only when ECS task has a specific tag? For example, Tag name = "Status" and Tag value = "OK"?

I configured the following CloudFormation resource and tagged ECS task with "Status: OK", but access is denied.

              - Effect: Allow
                Action:
                  - 's3:GetObject'
                Resource:
                  - 'arn:aws:s3:::esolang-worker/0123456789/code'
                Condition:
                  StringEquals:
                    'aws:RequestTag/Status': 'OK'

Full configuration

AWSTemplateFormatVersion: 2010-09-09
Resources:
  ECSTestTaskDefinition:
    Type: 'AWS::ECS::TaskDefinition'
    Properties:
      TaskRoleArn: !GetAtt ECSTestTaskRole.Arn
      ExecutionRoleArn: !GetAtt ECSTestExecutionRole.Arn
      ContainerDefinitions:
        - Name: Test
          Image: public.ecr.aws/aws-cli/aws-cli
          Command:
            - 's3'
            - 'cp'
            - 's3://esolang-worker/0123456789/code'
            - '-'
          Essential: true
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-group: /ecs/test
              awslogs-region: ap-northeast-1
              awslogs-create-group: 'true'
              awslogs-stream-prefix: ecs
      Family: ecs-test
      Cpu: 256
      Memory: 512
      NetworkMode: awsvpc
      RequiresCompatibilities:
        - FARGATE
      RuntimePlatform:
        OperatingSystemFamily: LINUX
  ECSTestTaskRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: ecs-test-task-role
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: [ecs-tasks.amazonaws.com]
            Action: ['sts:AssumeRole']
      Policies:
        - PolicyName: AllowTaskToRetrieveS3File
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 's3:ListBucket'
                Resource:
                  - 'arn:aws:s3:::esolang-worker'
              - Effect: Allow
                Action:
                  - 's3:GetObject'
                Resource:
                  - 'arn:aws:s3:::esolang-worker/0123456789/code'
                Condition:
                  StringEquals:
                    'aws:RequestTag/Status': 'OK'
  ECSTestExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: ecs-test-execution-role
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: [ecs-tasks.amazonaws.com]
            Action: ['sts:AssumeRole']
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
      Policies:
        - PolicyName: AllowTaskToCreateLogStreamAndPutLog
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - 'logs:CreateLogStream'
                  - 'logs:CreateLogGroup'
                  - 'logs:DescribeLogStreams'
                  - 'logs:PutLogEvents'
                Resource: '*'

By running task from AWS console with the following configurations:

this example outputs the following message.

download failed: s3://esolang-worker/0123456789/code to - An error occurred (403) when calling the HeadObject operation: Forbidden

When I remove Condition from s3:GetObject policy, this example successfully displays file content.

2 Answers
1
Accepted Answer

The aws:RequestTag condition key is used to control access based on the tags associated with the AWS request, not the resource (in this case, the ECS task). In the ECS context, tasks don't have tags associated with the request itself.

Instead, you can use the aws:ResourceTag condition key to control access based on the tags associated with the ECS task. Here's how you can modify your IAM policy to achieve this:

Policies:
  - PolicyName: AllowTaskToRetrieveS3File
    PolicyDocument:
      Statement:
        - Effect: Allow
          Action:
            - 's3:ListBucket'
          Resource:
            - 'arn:aws:s3:::esolang-worker'
        - Effect: Allow
          Action:
            - 's3:GetObject'
          Resource:
            - 'arn:aws:s3:::esolang-worker/0123456789/code'
          Condition:
            StringEquals:
              'aws:ResourceTag/Status': 'OK'

In this updated policy, the aws:ResourceTag/Status condition key checks for the Status tag on the ECS task itself. If the task has a tag with the key Status and value OK, it will be granted access to the S3 object s3://esolang-worker/0123456789/code.

To tag your ECS task, you need to add the tag to the task definition. You can do this by modifying the ECSTestTaskDefinition resource in your CloudFormation template:

ECSTestTaskDefinition:
  Type: 'AWS::ECS::TaskDefinition'
  Properties:
    TaskRoleArn: !GetAtt ECSTestTaskRole.Arn
    ExecutionRoleArn: !GetAtt ECSTestExecutionRole.Arn
    ContainerDefinitions:
      # ... (container definitions)
    Family: ecs-test
    Cpu: 256
    Memory: 512
    NetworkMode: awsvpc
    RequiresCompatibilities:
      - FARGATE
    RuntimePlatform:
      OperatingSystemFamily: LINUX
    Tags:
      - Key: Status
        Value: OK

With this configuration, any ECS task created from the ECSTestTaskDefinition will have the Status: OK tag, and the IAM policy will grant access to the S3 object based on this tag.

Note that tags are associated with resources at the time of creation, so if you need to change the tags on an existing task, you'll need to update the task definition and update your service or run a new task using it.

profile pictureAWS
answered a month ago
profile picture
EXPERT
reviewed 24 days ago
0

Have you tried with that counterpart translation of

"Condition": {
        "ForAllValues:StringEquals": {
          "aws:TagKeys": [
            "Env",
            "CostCenter"
          ]
        }
      }

?

Reference: https://repost.aws/knowledge-center/iam-tag-based-restriction-policies

profile picture
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
  • I tried the following configuration, but the result is that the access to S3 is allowed for the tasks with any value of Status tag.

    Condition:
      'ForAllValues:StringEquals':
        'aws:TagKeys':
          - Status
    

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions