AWS ECS update-service error using cross account

Question

From aws account A I'm trying to force deploy an ecs service on account B.

Before issuing the update-service command I'm assuming a role which has account B as the trusted entity:

temp_role=$(aws sts assume-role --role-arn arn:aws:iam::Account_A_ID:role/cloudformation/gocd-deploy-role --role-session-name "ecs-update-service")

Then I issue the update-service command to update ecs service on account B like so:

aws ecs update-service \
  --service cluster-service \
  --cluster arn:aws:ecs:us-east-1:Account_B_ID:cluster/good-cluster \
  --force-new-deployment

And I get the following error:

An error occurred (InvalidParameterException) when calling the UpdateService operation: Identifier is for Account_B_ID. Your accountId is Account_A_ID

If I understand correctly, being on account A, I'm assuming a role which has account B as a trusted entity so it should be able to run commands on account B's resources. Why isn't it letting me run it?

Am I missing something?

Answer 1

I see your assuming a role in the wrong account. I believe the correct build would be as follows...

The role needs to be created in Account_B_ID with an AWS account type and the Account_A_ID specified in the Account ID.

Then your user in Account_A_ID would be given a role with permissions to assume the role in Account_B_ID as follows:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::Account_B_ID:role/deploy_role"
  }
}

Then you would run the following to get a cross acount token (this assumes your credentials are setup for the AWS CLI for your using in Account A):

temp_role=$(aws sts assume-role --role-arn arn:aws:iam::Account_B_ID:role/deploy_role --role-session-name "ecs-update-service")

Then you can use that token to call the ecs as you specified.

Additional information can be found in IAM tutorial: Delegate access across AWS accounts using IAM roles.