I'm creating an AWS IAM role with the following terraform block. This enables AmazonECSTaskExecutionRolePolicy
permission.
resource "aws_iam_role" "my_ecs_task_execution_role" {
name_prefix = "my_ecs_task_execution_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
description = "Allows ECS tasks to call AWS ECS on your behalf."
}
And I'm using the above IAM role to create a AWS Batch Job Definition like below.
resource "aws_batch_job_definition" "job_def_m_8_c_4" {
name = "m_8_c_4"
type = "container"
platform_capabilities = ["EC2"]
container_properties = <<CONTAINER_PROPERTIES
{
"executionRoleArn": "${aws_iam_role.my_ecs_task_execution_role.arn}",
"image": "<image_uri>",
"memory": 8000,
"vcpus": 4
}
CONTAINER_PROPERTIES
timeout {
attempt_duration_seconds = 21600
}
}
And I've also added the necessary job queue and the compute environment.
But the problem here, when I run terraform apply
, I'm getting some strange errors for the first time that -
error creating Batch Job Definition (m_8_c_4): : Error executing request, Exception :
arn:aws:iam::xxx:role/my_ecs_task_execution_rolexyz role is not authorized.,
RequestId: xyzzys-xyzxyz-xyzxyxz
And I using Terraform - v1.4.4
Solutions that I already tried
I tried adding "AWS": "arn:aws:iam::<account_id>:root"
to aws_iam_role.my_ecs_task_execution_role
and again got the same result.
I've also verified the STS endpoints and they are active across all regions.
Your role does not appear to have any permissions. Defining the assume_role_policy
will merely allow ECS to assume the role.
Consider attaching the AmazonECSTaskExecutionRolePolicy
AWS-managed policy to your role:
resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy" {
role = aws_iam_role.my_ecs_task_execution_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
}