aws lambda function can't update ecs service - McMap

About

aws lambda function can't update ecs service

Asked 30/5, 2023 at 3:56 Answered 30/5, 2023 at 5:40

amazon-web-services aws-lambda boto3 amazon-iam

S

1

1

When trying to update_service of a ecs service using python boto3, i got the error is like this:

An error occurred (AccessDeniedException) when calling the UpdateService operation: User: arn:aws:sts::xxx:assumed-role/infra-conductors/infra-conductors is not authorized to perform: iam:PassRole on resource: arn:aws:iam::xxx:role/ecs/ecsTaskExecutionRole-test with an explicit deny in a service control policy

but i've already added permissions and trust policy to this lambda:

{
        "Action": [
            "iam:PassRole"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:iam::xxx:role/ecs/ecsTaskExecutionRole-test"
        ],
        "Sid": "test"
    },

and,

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
            "Service": [
                "lambda.amazonaws.com",
                "ecs.amazonaws.com",
                "ecs-tasks.amazonaws.com"
            ]
        },
        "Action": "sts:AssumeRole"
    }
]

}

BTW, i attached other permissions to this lambda, and it can reboot a ecs service or change the desiredCount, but when i trying to change the taskdef, i got this error.

Selfsame answered 30/5, 2023 at 3:56 Comment(0)

T

3

The error says that it was denied with an explicit deny. This means, that somewhere, there is a policy that explicitly denies what you are trying to do. Since deny statement always takes precedence over any allow, first you have to find the policy with the deny and remove the deny.

Traditor answered 30/5, 2023 at 5:40 Comment(5)

The in a service control policy part of the error message indicates that this explicit deny is most likely in a Service Control Policy (SCP) applied to the whole account so it may be difficult to find unless you have access to the Organization Management account. You should probably talk to your AWS Admin/Security People. – Condenser 30/5, 2023 at 5:57

yeah, i found the explicit deny in our SCP. thx. { "Version": "2012-10-17", "Statement": [ { "Sid": "ExplicitIAMPassRole", "Action": [ "iam:PassRole" ], "Resource": "*", "Effect": "Deny", "Condition": { "ArnNotLike": { – Selfsame 30/5, 2023 at 6:34

@Selfsame Is it still unclear why you get access denied? – Traditor 31/5, 2023 at 4:25

@Marcin, thanks. i found the SCP disabled the PassRole. Now my question is it possible to update service without change the SCP. because it is set globally by the company. – Selfsame 31/5, 2023 at 6:37

@Selfsame Sadly, its not possible. That's the entire point of explicit denies. – Traditor 31/5, 2023 at 6:41

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.