I have a dockerized NodeJS application, and I put the image in AWS ECR. It is working well running on my local environment with docker-compose, I can generate a pre-signed PUT URL. The pre-signed URL also works, I can upload object into it. I tried to run the same ECR image with ECS Fargate, however I can't PUT the object into the generated pre-signed URL. I get an access denied error.
Edit: I suspect the issue comes from IAM Role and Permission. I build the ECS Fargate infrastructure through CloudFormation, but it seems the role is properly set-up:
ECSTaskExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${ContainerName}-ECSTaskExecutionRolePolicy"
Path: /
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
Policies:
- PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Resource:
- !Ref DBHostSSMARN
- !Ref DBPortSSMARN
- !Ref DBUsernameSSMARN
- !Ref DBPasswordSSMARN
Effect: Allow
Action:
- "ssm:GetParameters"
- "secretsmanager:GetSecretValue"
- "kms:Decrypt"
- Resource: "*"
Effect: Allow
Action:
- cloudwatch:*
- ecr:GetDownloadUrlForLayer
- ecr:BatchGetImage
- ecr:BatchCheckLayerAvailability
- Resource:
- !Sub arn:aws:s3:::${VideoRepoName}
- !Sub arn:aws:s3:::${VideoRepoName}/*
Effect: Allow
Action:
- s3:*
CodePudding user response:
I've assigned the S3 permission to a wrong role. I am supposed to give the S3 permission to the Task Role, not the Task Execution Role.