Following is the error coming in running task of AWS ECS cluster.
com.amazonaws.services.sqs.model.AmazonSQSException: Access to the resource https://sqs.us-east-1.amazonaws.com/XXXXXXXXXXX/XXXXXXXXXXQueue is denied. (Service: AmazonSQS; Status Code: 403; Error Code: AccessDenied; Request ID: XXXXXXX-XXX-XX-XXXX-XXXXXXXXXX; Proxy: null)
As per the initial analysis , I have modified the access policy of queue and the iam role of ecs task as follows
Access policy of SQS
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::XXXXXXXXXXXX:root"
"arn:aws:iam::XXXXXXXXXXXX:role/XXXXXXXXXXXX/xxxxxx-exec-role" ,
"arn:aws:iam::XXXXXXXXXXXX:role/XXXXXXXXXXXX/xxxxxx-deploy-role",
"arn:aws:iam::XXXXXXXXXXXX:role/XXXXXXXXXXXX/xxxxxx-task-role",
]
},
"Action": "sqs:*",
"Resource": "*"
}
]
}
I have also added below statement to all the above mentioned IAM role who are running the task in the AWS ECS as follows
Statement added in IAM roles associated with AWS ECS Task:
{
"Action": [
"sqs:*"
],
"Resource": [
"arn:aws:sqs:us-east-1:ACCOUNT_NUMBER_HERE:xxx*"
],
"Effect": "Allow"
}
please let me know in case if I am missing anything or if you have resolved such issues before
Please add the EC2 container instance role in the SQS access policy as below. No need to add ECS execution or task or deploy role as mentioned in the question.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::XXXXXXXXXXX:role/XXXXXEC2ContainerServiceforEC2Role"
]
},
"Action": "SQS:*",
"Resource": "*"
}
]
}