amazon-web-services amazon-s3 amazon-iam amazon-ecs

ECS Fargate task unable to access s3 in another account

I have a scheduled ECS Fargate task running in my "AccountA". The task needs to access a s3 bucket located in another aws account "AccountB".

The ECS task in the AccountA assumes a role "AccountA_ECSTaskRole". I have created a role "AccountB_S3AccessBucketRole" in the AccountB to allow the IAM role "AccountA_ECSTaskRole" to access the S3 bucket in AccountB.

The AccountB_S3AccessBucketRole policy is as follow :

{
"Version": "2012-10-17",
"Statement": [
    {
            "Action": [
                    "s3:ListBucket",
                    "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME"
    },
    {
            "Effect": "Allow",
            "Action": [
                    "s3:GetObject",
                    "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME/*"
    }
  ]
}

And the assume role policy:

{
"Version": "2012-10-17",
"Statement": [
  {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Principal": {
      "AWS": "AccountA_ECSTaskRole_ARN"
    }
  }  
]
}

My task is a docker container running aws s3 cp myfiletocopy s3://ACCOUNTB_BUCKET_NAME/. I specified the taskRoleArn in the task definition as AccountA_ECSTaskRole_ARN. The AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable seems to correctly be set by the ECS agent in my container since I can echo it. Still I'm getting: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

Solution

I made it work by setting a bucket policy for ACCOUNTB_BUCKET_NAME and not a role, as follow:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation"
        ],
        "Principal": {
            "AWS": "AccountA_ECSTaskRole_ARN"
         },
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME"
    },
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "AccountA_ECSTaskRole_ARN"
        },
        "Action": [
            "s3:GetObject",
            "s3:PutObject"
        ],
        "Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME/*"
    }
]
}

And setting the AccountA_ECSTaskRole to access the ACCOUNTB_BUCKET_NAME:

{
  "Version": "2012-10-17",
  "Statement": [
        {
            "Action": [
                    "s3:ListBucket",
                    "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME"
        },
        {
            "Effect": "Allow",
            "Action": [
                    "s3:GetObject",
                    "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME/*"
        }
  ]
}