Cross Account IAM Role for ECS deployments

In my setup I have 2 accounts:

Account A runs CodeCommit + CodePipeline

Account B has an ECS cluster

Most of the steps I did are described in the Create a Pipeline in CodePipeline That Uses Resources guide from AWS.

However, my setup is to deploy to ECS using CodePipeline without using CodeDeploy. So I had to create a CrossAccount role with the following policies.

Policy to access KMS key in account A

{
     "Version": "2012-10-17",
     "Statement": [
         {
             "Sid": "Allow access to KMS key on Account A",
             "Action": [
                 "kms:Decrypt",
                 "kms:DescribeKey",
                 "kms:Encrypt",
                 "kms:GenerateDataKey",
                 "kms:ReEncrypt"             
             ],             
           "Effect": "Allow",             
           "Resource": "KEYARN"
         }
     ]
 } 

Policy to allow access to S3 bucket in account A:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow access to S3 bucket in Account A",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::your-bucket-name",
                "arn:aws:s3:::your-bucket-name/*"
            ]
        }
    ]
}

Policy to allow access to ECS in account B

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow access to ECS",
            "Effect": "Allow",
            "Action": "ecs:*",
            "Resource": [
                "*"
            ]
        }
    ]
}

Policy to pass the role to ECS:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEqualsIfExists": {
                    "iam:PassedToService": [
                        "ecs-tasks.amazonaws.com"
                    ]
                }
            }
        }
    ]
}

Without these policies I was getting a lot of different errors in CodePipeline like “The provided role does not have sufficient permissions to access ECS” or “The provided role does not have sufficient permissions (to access certain bucket)..


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s