ecs-deploy
ecs-deploy copied to clipboard
Published
20 hours ago •
fabfuel
fabfuel
ECS Deploy doing ecs:ListTasks on * instead of just the target cluster causing AccessDeniedException
I'm using ECS deploy on our development server that has a separate access token from the production server user in a CI/CD pipeline. However, ecs-deploy seems to try to list tasks for all clusters which gets rejected because the access token only has access to the development cluster.
Versions that I replicated this with: 1.9.0, 1.10.0
Here are my logs with the error (sensitive information replaced with ####):
####@#### ./ecs-deploy % ecs deploy #### #### --tag 0.9.0
Deploying based on task definition: ####:6
Updating task definition
Changed image of container "api" to: "####" (was: "####")
Creating new task definition revision
Successfully created revision: 7
Updating service
Successfully changed task definition to: ####:7
Deploying new task definition.................................................................................................................................Traceback (most recent call last):
File "/home/####/Codes/ecs-deploy/venv/bin/ecs", line 10, in <module>
sys.exit(ecs())
File "/home/####/Codes/ecs-deploy/venv/lib/python3.7/site-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/home/####/Codes/ecs-deploy/venv/lib/python3.7/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/home/####/Codes/ecs-deploy/venv/lib/python3.7/site-packages/click/core.py", line 1066, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/home/####/Codes/ecs-deploy/venv/lib/python3.7/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/home/####/Codes/ecs-deploy/venv/lib/python3.7/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "/home/####/Codes/ecs-deploy/venv/lib/python3.7/site-packages/ecs_deploy/cli.py", line 107, in deploy
sleep_time=sleep_time
File "/home/####/Codes/ecs-deploy/venv/lib/python3.7/site-packages/ecs_deploy/cli.py", line 456, in deploy_task_definition
sleep_time=sleep_time
File "/home/####/Codes/ecs-deploy/venv/lib/python3.7/site-packages/ecs_deploy/cli.py", line 420, in wait_for_finish
waiting = not action.is_deployed(service)
File "/home/####/Codes/ecs-deploy/venv/lib/python3.7/site-packages/ecs_deploy/ecs.py", line 617, in is_deployed
service_name=service.name
File "/home/####/Codes/ecs-deploy/venv/lib/python3.7/site-packages/ecs_deploy/ecs.py", line 53, in list_tasks
serviceName=service_name
File "/home/####/Codes/ecs-deploy/venv/lib/python3.7/site-packages/botocore/client.py", line 357, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/home/####/Codes/ecs-deploy/venv/lib/python3.7/site-packages/botocore/client.py", line 661, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the ListTasks operation: User: #### is not authorized to perform: ecs:ListTasks on resource: *
This might no be totally unrelated but it seems it's using * on this part too.
botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the DescribeTasks operation: User: arn:aws:iam::*****:user/***** is not authorized to perform: ecs:DescribeTasks on resource: arn:aws:ecs:*********:******:task/*****
Tried using the cli describe_tasks and with the same user and it was a success.
