Cannot create additional IAM Role in x-aws-cloudformation overlay

[rosven]

I have a task that I want to be able to assume role on another role with only access to S3. I want to provide temporary credentials to an S3 bucket. I try to create this slimmer role and reference the task role from it as principal. I get this error from the cloud formation run (under docker):

InsufficientCapabilitiesException: Requires capabilities : [CAPABILITY_NAMED_IAM]
    status code: 400, request id: ***************************
gmake: *** [Makefile:53: compose-dev] Error 1

reading through the source you explicitly set: CAPABILITY_IAM but not CAPABILITY_NAMED_IAM: https://github.com/docker/compose-cli/blob/9d341e7539ec966603ae520447fc5964dc417469/ecs/sdk.go#L341

The role I am trying to create looks like this in the cloud formation overlay:

DataSharing:
      Type: AWS::IAM::Role
      Properties:
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Principal:
                AWS:
                  - Fn::GetAtt:MyTaskRole.Arn
              Action:
                - 'sts:AssumeRole'              
        Description: Role to provide access to S3
        Policies:
          - PolicyName: DataSharingPolicy
            PolicyDocument:
              Version: "2012-10-17"
              Statement:
                - Effect: Allow
                  Action:
                    - "s3:GetObject"
                    - "s3:listBucket"
                  Resource:
                    - "arn:aws:s3:::bucketname/*"
                    - "arn:aws:s3:::bucketname"
        RoleName: DataSharingRole

Is this for a particular reason to not be able to create additional roles not directly connected to task itself? Would it be possible to add a way to use other capabilities? Possible values are: Valid Values: CAPABILITY_IAM | CAPABILITY_NAMED_IAM | CAPABILITY_AUTO_EXPAND

src: https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html

[MrTeale]

@rosven - Did you find a way around this? I've got a similar scenario where I want to create an IAM policy separate to a service using the cloudformation overlay.

[rosven]

@rosven - Did you find a way around this? I've got a similar scenario where I want to create an IAM policy separate to a service using the cloudformation overlay.

Unfortunately I did not. I instead worked around the problem to give access in another manner to the service. Hope you find another way! best of luck :)

[gascarcella]

Same issue! I want to have 'static' arn names for task roles, to simplify CI/CD and couldn't use overlays because of this error.

x-aws-cloudformation:
  Resources:
        ServiceTaskRole:
          Properties:
            RoleName: ServiceTaskRole
        ServiceTaskExecutionRole:
          Properties:
            RoleName: ServiceTaskExecutionRole

InsufficientCapabilitiesException: Requires capabilities : [CAPABILITY_NAMED_IAM]
        status code: 400

I'm curious if changing the line mentioned by @rosven and re-compiling would make it work

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[JohnPreston]

Using x-iam you can define additional policies for your services directly. I had this exact use-case too and so I put down the IAM role to assume there in a normal policy format. Hope that helps

[stale[bot]]

This issue has been automatically marked as not stale anymore due to the recent activity.

[D-Simona-G]

Using x-iam you can define additional policies for your services directly. I had this exact use-case too and so I put down the IAM role to assume there in a normal policy format. Hope that helps

But that's working for compose-x only, not compose cli?