docker
Cannot create additional IAM Role in x-aws-cloudformation overlay
I have a task that I want to be able to assume role on another role with only access to S3. I want to provide temporary credentials to an S3 bucket. I try to create this slimmer role and reference the task role from it as principal. I get this error from the cloud formation run (under docker):
InsufficientCapabilitiesException: Requires capabilities : [CAPABILITY_NAMED_IAM]
status code: 400, request id: ***************************
gmake: *** [Makefile:53: compose-dev] Error 1
reading through the source you explicitly set: CAPABILITY_IAM but not CAPABILITY_NAMED_IAM:
https://github.com/docker/compose-cli/blob/9d341e7539ec966603ae520447fc5964dc417469/ecs/sdk.go#L341
The role I am trying to create looks like this in the cloud formation overlay:
DataSharing:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS:
- Fn::GetAtt:MyTaskRole.Arn
Action:
- 'sts:AssumeRole'
Description: Role to provide access to S3
Policies:
- PolicyName: DataSharingPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "s3:GetObject"
- "s3:listBucket"
Resource:
- "arn:aws:s3:::bucketname/*"
- "arn:aws:s3:::bucketname"
RoleName: DataSharingRole
Is this for a particular reason to not be able to create additional roles not directly connected to task itself? Would it be possible to add a way to use other capabilities? Possible values are: Valid Values: CAPABILITY_IAM | CAPABILITY_NAMED_IAM | CAPABILITY_AUTO_EXPAND
src: https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html
@rosven - Did you find a way around this? I've got a similar scenario where I want to create an IAM policy separate to a service using the cloudformation overlay.
@rosven - Did you find a way around this? I've got a similar scenario where I want to create an IAM policy separate to a service using the cloudformation overlay.
Unfortunately I did not. I instead worked around the problem to give access in another manner to the service. Hope you find another way! best of luck :)
Same issue! I want to have 'static' arn names for task roles, to simplify CI/CD and couldn't use overlays because of this error.
x-aws-cloudformation:
Resources:
ServiceTaskRole:
Properties:
RoleName: ServiceTaskRole
ServiceTaskExecutionRole:
Properties:
RoleName: ServiceTaskExecutionRole
InsufficientCapabilitiesException: Requires capabilities : [CAPABILITY_NAMED_IAM]
status code: 400
I'm curious if changing the line mentioned by @rosven and re-compiling would make it work
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
Using x-iam you can define additional policies for your services directly. I had this exact use-case too and so I put down the IAM role to assume there in a normal policy format. Hope that helps
This issue has been automatically marked as not stale anymore due to the recent activity.
Using x-iam you can define additional policies for your services directly. I had this exact use-case too and so I put down the IAM role to assume there in a normal policy format. Hope that helps
But that's working for compose-x only, not compose cli?
