`sns:Publish` on a ECS task role

Anyone know if there is something special about setting up sns:Publish on a ECS task role? I’ve tried both setting the permission on the task execution role and on the task role and I’m always getting an error message like so:

Aws::SNS::Errors::AuthorizationError - User: arn:aws:sts::xxx:assumed-role/<ec2_instance_role>/<ec2_instance_id> is not authorized to perform: SNS:Publish on resource: arn:aws:sns:<aws_region>:xxx:<topic_name> because no identity-based policy allows the SNS:Publish action

Should not be, as far as I remember we do not need anything special for sns:publish from ECS

I bumped into something about iam:PassRole in https://docs.aws.amazon.com/AmazonECS/latest/userguide/task-iam-roles.html#specify-task-iam-roles

Would that mean that the task role should have that permission for the underlying ec2 instance role?

But it’s weird thought, I have other tasks that have for example a s3 permission attached to the task execution role and there’s no issue there

I noticed we seem to be “abusing” the execution role, were we’re actually defining a single role per task and setting it both as execution role and task role. I realize execution role is targeted at the ecs agent and docker daemon and task definition access needs and task role should be used for “app” specific permissions.

That’s something that we should probably cleanup, but in any case, it doesn’t seem there’s any obvious reason why setting up stuff the same, a s3PutObject permission works and sns:Publish results in that message

If that works you’ll know the issue lies in your EC2 / ECS agent configuration

It looks like your task is trying to use the instance role instead of ECS task role. Maybe you are using a too old version of the SDK that doesn’t know the metadata endpoint for ECS task?

Wouldn’t that cause issue with something like s3:PutObject?

But yeah, indeed it looks like that, not sure why it would be trying to use the instance role in this case

> Wouldn’t that cause issue with something like s3:PutObject?
Unless these permissions are granted from an instance role.

That instance role referred to in the error contains:

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents",
                "logs:CreateLogStream",
                "ecs:UpdateContainerInstancesState",
                "ecs:Submit*",
                "ecs:StartTelemetrySession",
                "ecs:RegisterContainerInstance",
                "ecs:Poll",
                "ecs:DiscoverPollEndpoint",
                "ecs:DeregisterContainerInstance",
                "ecs:CreateCluster",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetAuthorizationToken",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ec2:DescribeTags"
            ],
            "Resource": "*"
        }
    ]
}```

And then there’s

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::<bucket>/*",
                "arn:aws:s3:::<bucket>/*"
            ]
        }
    ]
}```
on the task  role. This works.

Using the same setup but adding the sns:Publish permission to the task role causes the above mentioned error

What if you add the sns permission to the instance profile role just for testing

To validate if it is infact somehow using the host role

Sorry I am limited help here as I always use Fargate

We use both Fargate and ECS. We ended up with this setup where we use ECS for webservices and Fargate for one-off workers

Yeah, adding it to the ec2 instance role works :shrug: