2

I created a jenkins job runing inside account A that connects using cross accounts IAM roles to account B, where we have a ECS cluster. I manageg to build and upload the docker images from account A jenkins to account B, but when I use:

aws ecs update-service --cluster arn:aws:ecs:eu-west-1:Account_B_ID:cluster/Cluster --service cluster-service --force-new-deployment --region eu-west-1

I was promted by an error:

An error occurred (InvalidParameterException) when calling the UpdateService operation: Identifier is for AccountID_B. Your accountId is AccountID_A

I have checked the Update-Service documentation, but i don't find any mistake and I cant found anything more regarding this issue anywhere.

Do you know where/how is the correct way of ECS cross account deployment?

Thanks for your time and help!

Gotttlieb
  • 25
  • 5

1 Answers1

3

Run the command with a CLI --profile which assumes the IAM role on account-B:

aws ecs update-service --profile account-B_roleName

In ~/.aws/config:

[profile account-B_roleName]
role_arn = arn:aws:iam::808449698514:role/PowerUser

You can only apply a command on a resource in an account with an (assumed) role or user which is defined in that account.

Dominik
  • 225
  • 2
  • 7
  • Thanks so much!; I have to admit that I already used the "--profile" in other commands, but I didn't notice it here. And seems strange to me that anywhere was this explained as clear as you explained it here. THanks! – Gotttlieb Jun 06 '19 at 23:03