Add tagging to IAM for continuous deployment

Amazon ECS now requires the ecs:TagResource permission for tagging resources at creation. Failing to update before March 29th will result in "AccessDenied" errors when creating tagged ECS resources.

For the Golden Path, this means that continuous deployment for applications will fail, unless the IAM policies are updated.

Affected versions

IAM policies for continuous deployment.

More specifically, if your continuous deployment calls any of the ECS API actions, you will need to update your IAM policies as described in this guide.

Details

• Tagging authorization
• Grant permission to tag resources on creation

Related issues

Add ecs:TagResource to IAM policies generic

Before you begin

In your terminal, make sure you are logged in to the AWS region where your applications are located:

aws configure get region

Step 1: Enable tagging authorization

Before enabling tagging authorization, let's verify that it currently is turned off.

aws ecs list-account-settings --effective-settings --principal-arn "root"

The output should display various settings, including the tagResourceAuthorization setting, which is set to off.

Now enable tagging authorization:

aws ecs put-account-setting-default \
  --name tagResourceAuthorization \
  --value on

Verify that tagging authorization now is set to on by re-running the command above:

aws ecs list-account-settings --effective-settings --principal-arn "root"

Step 2: Verify that continuous deployment fails (optional)

Trigger a deployment of an application to verify that your continuous deployment pipeline fails with an error message that contains no identity-based policy allows the ecs:TagResource action.

Error message example

Error: updating tags for ECS (Elastic Container) Task Definition (
arn:aws:ecs:eu-west-1:123456789012:task-definition/some-task-definition:1):tagging
resource (arn:aws:ecs:eu-west-1:123456789012:task-definition/some-task-definition:1):
AccessDeniedException:User: arn:aws:sts::12345678901:assumed-role/... is not authorized to
perform: ecs:TagResource on resource:
arn:aws:ecs:eu-west-1:123456789012:task-definition/some-task-definition:1 because no
identity-based policy allows the ecs:TagResource action

Step 3: Update your IAM policy

If you are using the Golden Path and its iam-policies-generic module, you can update your iam stack to use the ecs_tagging policy document. Then proceed to the next step.

If not, figure out where you have your current IAM policies for continuous deployment defined.

One way to do this is to search in your IaC-repository for ecs:RegisterTaskDefinition. This string may also be located within a module. If that's the case, a direct search may return no results, and you will have to figure out which module to update.

Why ecs:RegisterTaskDefinition?

The ecs:RegisterTaskDefinition action is used to update a task definition, which is needed by continuous deployment. Wherever you find this action defined, is likely to be close to the place that needs updating.

Create or modify a policy to allow creating resources with tags. Here is one example in Terraform:

data "aws_iam_policy_document" "ecs_tagging" {
  statement {
    sid    = "ECSTagging"
    effect = "Allow"

    resources = [
      "arn:aws:ecs:${var.region}:${var.account_id}:service/${var.environment}/my-service",
      "arn:aws:ecs:${var.region}:${var.account_id}:task-definition/*"      
    ]

    actions = [
      "ecs:TagResource",
      "ecs:UntagResource"
    ]
  }
}

You must add the above policy document to your existing policies, or you can create a new policy and attach it to the IAM-role used by continuous deployment. If you're unsure how to proceed with this, you can contact us for help.

Step 4: Apply

Run terraform apply to apply the changes.

Verify

Trigger a new deployment, and verify that it succeeds.