From aws account A I'm trying to force deploy an ecs service on account B.
Before issuing the update-service command I'm assuming a role which has account B as the trusted entity:
temp_role=$(aws sts assume-role --role-arn arn:aws:iam::Account_A_ID:role/cloudformation/gocd-deploy-role --role-session-name "ecs-update-service")
Then I issue the update-service command to update ecs service on account B like so:
aws ecs update-service \
--service cluster-service \
--cluster arn:aws:ecs:us-east-1:Account_B_ID:cluster/good-cluster \
--force-new-deployment
And I get the following error:
An error occurred (InvalidParameterException) when calling the UpdateService operation: Identifier is for Account_B_ID. Your accountId is Account_A_ID
If I understand correctly, being on account A, I'm assuming a role which has account B as a trusted entity so it should be able to run commands on account B's resources. Why isn't it letting me run it?
Am I missing something?
I see your assuming a role in the wrong account. I believe the correct build would be as follows...
The role needs to be created in Account_B_ID
with an AWS account type and the Account_A_ID
specified in the Account ID.
Then your user in Account_A_ID
would be given a role with permissions to assume the role in Account_B_ID
as follows:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::Account_B_ID:role/deploy_role"
}
}
Then you would run the following to get a cross acount token (this assumes your credentials are setup for the AWS CLI for your using in Account A):
temp_role=$(aws sts assume-role --role-arn arn:aws:iam::Account_B_ID:role/deploy_role --role-session-name "ecs-update-service")
Then you can use that token to call the ecs as you specified.
Additional information can be found in IAM tutorial: Delegate access across AWS accounts using IAM roles.