Home > Back-end >  Allow ECS task to AssumeRole into another account
Allow ECS task to AssumeRole into another account

Time:04-01

I've looked at this question and this one but I'm not able to deploy a role into a child account which allows an ECS task running in the parent account to AssumeRole into it.

Terraform code:

data "aws_iam_policy_document" "cross-account-assume-role-child" {
  statement {
    actions = ["sts:AssumeRole"]
    principals {
      type        = "AWS"
      identifiers = [
        "arn:aws:sts::${var.master_account_ID}:assumed-role/${var.cross_account_role_name}"
      ]
    }
  }
}

When I try to run terraform the plan succeeds but the apply fails with such an error:

Error: failed creating IAM Role (ECS-cross-account-child-role): 
MalformedPolicyDocument: Invalid principal in policy: 
"AWS":"arn:aws:sts::<AWS Account ID>:assumed-role/ECS-cross-account-master-role"

I get the same error if I try to manually update the policy like above in the AWS console so this isn't due to terraform.

What am I doing wrong?

CodePudding user response:

The arn you need to specify in the policy is the one of the IAM role, not of the assumed credentials:

arn:aws:iam::${var.master_account_ID}:role/${var.cross_account_role_name}

Instead of of sts and assumed-role

  • Related