-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(aws-events-targets): EcsTask target with tags does not get ecs:TagResource permission added to role #28854
Comments
Here's how I'm working around this for now: const manualRuleTags = [
{ key: "my-tag-1", value: "true" },
{ key: "my-tag-2", value: "false" },
];
const manualRuleTarget = new EcsTaskTarget({
// other props per docs
tags: manualRuleTags,
});
// Grant ecs:TagResource to work around this bug: https://github.com/aws/aws-cdk/issues/28854
((manualRuleTarget as any).role as Role).addToPrincipalPolicy(
new PolicyStatement({
sid: "AllowTaggingEcsResource",
actions: ["ecs:TagResource"],
resources: [`arn:aws:ecs:us-west-2:*:task/${ecsCluster.clusterName}/*`],
// allow tagging with the specified tags
conditions: {
"ForAllValues:StringEquals": {
"aws:TagKeys": manualRuleTags.map((t) => t.key),
},
},
})
); |
I'll take this. |
Thanks! I've been deep in client work, so I have just worked around this for now. I appreciate you picking it up. I think the workaround code is accurate for what needs to be added. |
@blimmer Hmm, I wasn't able to reproduce this. I first ran:
I then deployed the stack here and I can get it to trigger and execute properly: Am I missing something? |
Hmm, at a glance, it looks like that's providing tags and should fail. A few things:
Let me know! I might have some time this afternoon to try with that stack if you're still not able to reproduce. |
Ok think I sorted it. I didn't enable in right Region. My bad! |
Thanks for reporting this issue and noting the workaround. I'll add the appropriate labels for tracking. I saw one other issue (#25768) referencing that error but in the context of using CodePipeline. |
I enabled the following: `aws ecs put-account-setting-default --name tagResourceAuthorization --value on` And then confirmed the task completes successfully. Closes #28854. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Describe the bug
When using the
EcsTask
EventBridge target and providingtags
, the auto-generated role does not get theecs:TagResource
IAM permission.This causes problems when the AWS account has the
tagResourceAuthorization
setting enabled. According to an email I recently received from Amazon, this setting will be enabled by default on 29 March 2024:Once the setting is enabled by default on all accounts, these event targets will start failing.
Expected Behavior
When I provide a list of
tags
on the EcsTask event target, it should automatically grant theecs:TagResource
permission for the specified tags.Current Behavior
The role does not get the
ecs:TagResource
permission, which causes the event invocation to fail.The event fails with:
Reproduction Steps
Consider a basic event rule, as specified in the CDK documentation:
This code produces an IAM role that does not allow
ecs:TagResource
, as you can see in the source code:aws-cdk/packages/aws-cdk-lib/aws-events-targets/lib/ecs-task.ts
Lines 268 to 296 in 2801355
The event triggers without errors when
tagResourceAuthorization
is disabled. However, when you enabletagResourceAuthorization
via:The task will start to fail because of the missing permission.
Possible Solution
The
createEventRolePolicyStatements
method should be updated. Iftags
are present the IAM policy should includeecs:TagResource
for the specified tags. The docs should be reviewed and the appropriate restrictive conditions should be applied.Additional Information/Context
No response
CDK CLI Version
2.123.0
Framework Version
No response
Node.js Version
20.11.0
OS
MacOS
Language
TypeScript
Language Version
No response
Other information
I'm unsure if this is needed if
propagateTags
is specified. More digging in the docs ontagResourceAuthorization
is needed.The text was updated successfully, but these errors were encountered: