amazon-web-servicesamazon-iamamazon-ecsgo-cdaws-roles

AWS ECS update-service error using cross account


From aws account A I'm trying to force deploy an ecs service on account B.

Before issuing the update-service command I'm assuming a role which has account B as the trusted entity:

temp_role=$(aws sts assume-role --role-arn arn:aws:iam::Account_A_ID:role/cloudformation/gocd-deploy-role --role-session-name "ecs-update-service")

Then I issue the update-service command to update ecs service on account B like so:

aws ecs update-service \
  --service cluster-service \
  --cluster arn:aws:ecs:us-east-1:Account_B_ID:cluster/good-cluster \
  --force-new-deployment

And I get the following error:

An error occurred (InvalidParameterException) when calling the UpdateService operation: Identifier is for Account_B_ID. Your accountId is Account_A_ID

If I understand correctly, being on account A, I'm assuming a role which has account B as a trusted entity so it should be able to run commands on account B's resources. Why isn't it letting me run it?

Am I missing something?


Solution

  • I see your assuming a role in the wrong account. I believe the correct build would be as follows...

    The role needs to be created in Account_B_ID with an AWS account type and the Account_A_ID specified in the Account ID.

    Then your user in Account_A_ID would be given a role with permissions to assume the role in Account_B_ID as follows:

    {
      "Version": "2012-10-17",
      "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::Account_B_ID:role/deploy_role"
      }
    }
    

    Then you would run the following to get a cross acount token (this assumes your credentials are setup for the AWS CLI for your using in Account A):

    temp_role=$(aws sts assume-role --role-arn arn:aws:iam::Account_B_ID:role/deploy_role --role-session-name "ecs-update-service")
    

    Then you can use that token to call the ecs as you specified.

    Additional information can be found in IAM tutorial: Delegate access across AWS accounts using IAM roles.