Hi, i’m trying to create ecs task and i want to use the role (role-1) that i imported but i’m not able to use the same role to create ecs task.
My iam-role.tf looks like:
data "aws_iam_policy_document" "ecs_task_execution_role" {
version = "2012-10-17"
statement {
sid = ""
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ecs-tasks.amazonaws.com"]
}
}
}
# ECS task execution role
resource "aws_iam_role" "ecs_task_execution_role" {
name = var.ecs_task_execution_role
assume_role_policy = data.aws_iam_policy_document.ecs_task_execution_role.json
}
# ECS task execution role policy attachment
resource "aws_iam_role_policy_attachment" "ecs_task_execution_role" {
role = aws_iam_role.ecs_task_execution_role.name
#policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
policy_arn = "arn:aws:iam::xx:role/xx/role-1"
}
I have followed similar approach to create ecs terraform/ecs at master · jayachandrareddym/terraform · GitHub
creating IAM Role (myECcsTaskExecutionRole): AccessDenied: User: arn:aws:sts::xxxxxx:assumed-role/AWSReservedSSO_xx/abc@example.com is not authorized to perform: iam:CreateRole on resource: arn:aws:iam:xx:role/myECcsTaskExecutionRole with an explicit deny in an identity-based policy
│ status code: 403, request id: 1ffeee20-6847-4539-9331-44e26a5787af
│
│ with aws_iam_role.ecs_task_execution_role,
│ on iam-role.tf line 19, in resource “aws_iam_role” “ecs_task_execution_role”:
│ 19: resource “aws_iam_role” “ecs_task_execution_role” {
What changes do i need to make on imported role-1 to use role-1 instead of abc@example.com user ?
When i checked the role-1 , it doesn’t have ecs policy attached, how can i attach ecs policy to imported role-1 from terraform, i can’t make changes in AWS console