Add tagging to IAM for continuous deployment
Amazon ECS now requires the ecs:TagResource
permission for tagging resources at creation. Failing to update before
March 29th will result in "AccessDenied" errors when creating tagged ECS resources.
For the Golden Path, this means that continuous deployment for applications will fail, unless the IAM policies are updated.
Affected versions
IAM policies for continuous deployment.
More specifically, if your continuous deployment calls any of the ECS API actions, you will need to update your IAM policies as described in this guide.
Details
Related issues
Add ecs:TagResource to IAM policies generic
Before you begin
In your terminal, make sure you are logged in to the AWS region where your applications are located:
Step 1: Enable tagging authorization
Before enabling tagging authorization, let's verify that it currently is turned off.
The output should display various settings, including the tagResourceAuthorization
setting, which is set to off.
Now enable tagging authorization:
Verify that tagging authorization now is set to on
by re-running the command above:
Step 2: Verify that continuous deployment fails (optional)
Trigger a deployment of an application to verify that your continuous deployment pipeline fails with an error message that
contains no identity-based policy allows the ecs:TagResource action
.
Error message example
Error: updating tags for ECS (Elastic Container) Task Definition (
arn:aws:ecs:eu-west-1:123456789012:task-definition/some-task-definition:1):tagging
resource (arn:aws:ecs:eu-west-1:123456789012:task-definition/some-task-definition:1):
AccessDeniedException:User: arn:aws:sts::12345678901:assumed-role/... is not authorized to
perform: ecs:TagResource on resource:
arn:aws:ecs:eu-west-1:123456789012:task-definition/some-task-definition:1 because no
identity-based policy allows the ecs:TagResource action
Step 3: Update your IAM policy
If you are using the Golden Path and its iam-policies-generic module, you can update your iam
stack to use the ecs_tagging
policy document. Then proceed to the next step.
If not, figure out where you have your current IAM policies for continuous deployment defined.
One way to do this is to search in your IaC-repository for ecs:RegisterTaskDefinition
. This string may also be located
within a module. If that's the case, a direct search may return no results, and you will have to figure out which module
to update.
Why ecs:RegisterTaskDefinition
?
The ecs:RegisterTaskDefinition
action is used to update a task definition, which is needed by continuous deployment.
Wherever you find this action defined, is likely to be close to the place that needs updating.
Create or modify a policy to allow creating resources with tags. Here is one example in Terraform:
data "aws_iam_policy_document" "ecs_tagging" {
statement {
sid = "ECSTagging"
effect = "Allow"
resources = [
"arn:aws:ecs:${var.region}:${var.account_id}:service/${var.environment}/my-service",
"arn:aws:ecs:${var.region}:${var.account_id}:task-definition/*"
]
actions = [
"ecs:TagResource",
"ecs:UntagResource"
]
}
}
You must add the above policy document to your existing policies, or you can create a new policy and attach it to the IAM-role used by continuous deployment. If you're unsure how to proceed with this, you can contact us for help.
Step 4: Apply
Run terraform apply
to apply the changes.
Verify
Trigger a new deployment, and verify that it succeeds.