👀 Views: 513 💬 Answers: 1 📅 Created: 2025-06-05

aws ecs iam fargate permissions json

I'm migrating some code and I'm facing an issue where the IAM role permissions I've assigned to my ECS task running on Fargate do not seem to be propagating correctly. I have created a new IAM role with the necessary permissions to access S3 and DynamoDB, but the tasks are throwing `AccessDeniedException` when trying to read from S3. Here's the IAM policy I attached to the role: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] }, { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:Scan" ], "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/my-table" } ] } ``` In my task definition, I have set the `taskRoleArn` to the ARN of the IAM role. Here’s a snippet of my task definition: ```json { "family": "my-task-family", "taskRoleArn": "arn:aws:iam::123456789012:role/my-task-role", "containerDefinitions": [ { "name": "my-container", "image": "my-image:latest", "memory": 512, "cpu": 256, "essential": true } ] } ``` Despite this, I'm getting `Access Denied` errors when the task tries to access the S3 bucket. I have verified that the role is correctly associated with the task by checking the ECS console and it appears to be correct. I also ensured that the S3 bucket policy allows access from the IAM role. Here's the relevant part of the bucket policy: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/my-task-role" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*" } ] } ``` I've tried redeploying the task and even restarting the ECS service, but the issue persists. I would appreciate any help or suggestions on what I might be missing in this configuration. Thanks for your help in advance!