amazon-iamterraform-provider-awsterraform0.12+aws-batchaws-iam-policy

error creating Batch Compute Environment (<name>) Error executing request, Exception : arn:aws:iam::xxx:role/xyz role is not authorised


I'm creating an AWS IAM role with the following terraform block. This enables AmazonECSTaskExecutionRolePolicy permission.

resource "aws_iam_role" "my_ecs_task_execution_role" {
  name_prefix = "my_ecs_task_execution_role"
  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "ecs-tasks.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
EOF
  description = "Allows ECS tasks to call AWS ECS on your behalf."
}

And I'm using the above IAM role to create a AWS Batch Job Definition like below.

resource "aws_batch_job_definition" "job_def_m_8_c_4" {
  name = "m_8_c_4"
  type = "container"
  platform_capabilities = ["EC2"]
  container_properties = <<CONTAINER_PROPERTIES
  {
    "executionRoleArn": "${aws_iam_role.my_ecs_task_execution_role.arn}",
    "image": "<image_uri>",
    "memory": 8000,
    "vcpus": 4 
  }
CONTAINER_PROPERTIES
  timeout {
    attempt_duration_seconds = 21600
  }
}

And I've also added the necessary job queue and the compute environment.

But the problem here, when I run terraform apply, I'm getting some strange errors for the first time that -

 error creating Batch Job Definition (m_8_c_4): : Error executing request, Exception : 
arn:aws:iam::xxx:role/my_ecs_task_execution_rolexyz role is not authorized., 
RequestId: xyzzys-xyzxyz-xyzxyxz

And I using Terraform - v1.4.4

Solutions that I already tried

I tried adding "AWS": "arn:aws:iam::<account_id>:root" to aws_iam_role.my_ecs_task_execution_role and again got the same result.

I've also verified the STS endpoints and they are active across all regions.


Solution

  • Your role does not appear to have any permissions. Defining the assume_role_policy will merely allow ECS to assume the role.

    Consider attaching the AmazonECSTaskExecutionRolePolicy AWS-managed policy to your role:

    resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy" {
      role       = aws_iam_role.my_ecs_task_execution_role.name
      policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
    }