1

When trying to update_service of a ecs service using python boto3, i got the error is like this:

An error occurred (AccessDeniedException) when calling the UpdateService operation: User: arn:aws:sts::xxx:assumed-role/infra-conductors/infra-conductors is not authorized to perform: iam:PassRole on resource: arn:aws:iam::xxx:role/ecs/ecsTaskExecutionRole-test with an explicit deny in a service control policy

but i've already added permissions and trust policy to this lambda:

{
        "Action": [
            "iam:PassRole"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:iam::xxx:role/ecs/ecsTaskExecutionRole-test"
        ],
        "Sid": "test"
    },

and,

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
            "Service": [
                "lambda.amazonaws.com",
                "ecs.amazonaws.com",
                "ecs-tasks.amazonaws.com"
            ]
        },
        "Action": "sts:AssumeRole"
    }
]

}

BTW, i attached other permissions to this lambda, and it can reboot a ecs service or change the desiredCount, but when i trying to change the taskdef, i got this error.

Marcin
  • 215,873
  • 14
  • 235
  • 294
reachlin
  • 4,516
  • 7
  • 18
  • 23

1 Answers1

3

The error says that it was denied with an explicit deny. This means, that somewhere, there is a policy that explicitly denies what you are trying to do. Since deny statement always takes precedence over any allow, first you have to find the policy with the deny and remove the deny.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • 2
    The `in a service control policy` part of the error message indicates that this explicit deny is most likely in a Service Control Policy (SCP) applied to the whole account so it may be difficult to find unless you have access to the Organization Management account. You should probably talk to your AWS Admin/Security People. – Maurice May 30 '23 at 05:57
  • yeah, i found the explicit deny in our SCP. thx. { "Version": "2012-10-17", "Statement": [ { "Sid": "ExplicitIAMPassRole", "Action": [ "iam:PassRole" ], "Resource": "*", "Effect": "Deny", "Condition": { "ArnNotLike": { – reachlin May 30 '23 at 06:34
  • @reachlin Is it still unclear why you get access denied? – Marcin May 31 '23 at 04:25
  • @Marcin, thanks. i found the SCP disabled the PassRole. Now my question is it possible to update service without change the SCP. because it is set globally by the company. – reachlin May 31 '23 at 06:37
  • @reachlin Sadly, its not possible. That's the entire point of explicit denies. – Marcin May 31 '23 at 06:41