Anyone know if there is something special about setting up sns:Publish on a ECS task role? I’ve tried both setting the permission on the task execution role and on the task role and I’m always getting an error message like so:
Aws::SNS::Errors::AuthorizationError - User: arn:aws:sts::xxx:assumed-role/<ec2_instance_role>/<ec2_instance_id> is not authorized to perform: SNS:Publish on resource: arn:aws:sns:<aws_region>:xxx:<topic_name> because no identity-based policy allows the SNS:Publish action
I noticed we seem to be “abusing” the execution role, were we’re actually defining a single role per task and setting it both as execution role and task role. I realize execution role is targeted at the ecs agent and docker daemon and task definition access needs and task role should be used for “app” specific permissions.
That’s something that we should probably cleanup, but in any case, it doesn’t seem there’s any obvious reason why setting up stuff the same, a s3PutObject permission works and sns:Publish results in that message
It looks like your task is trying to use the instance role instead of ECS task role. Maybe you are using a too old version of the SDK that doesn’t know the metadata endpoint for ECS task?