49 lines
1.4 KiB
Go
49 lines
1.4 KiB
Go
package amazon
|
|
|
|
import (
|
|
"fmt"
|
|
"github.com/aws/aws-sdk-go/aws"
|
|
"github.com/aws/aws-sdk-go/service/iam"
|
|
"github.com/compose-spec/compose-go/types"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
const ECSTaskExecutionPolicy = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
|
|
|
|
var defaultTaskExecutionRole *string
|
|
|
|
// GetEcsTaskExecutionRole retrieve the role ARN to apply for task execution
|
|
func (c client) GetEcsTaskExecutionRole(spec *types.ServiceConfig) (*string, error) {
|
|
if arn, ok := spec.Extras["x-ecs-TaskExecutionRole"]; ok {
|
|
s := arn.(string)
|
|
return &s, nil
|
|
}
|
|
if defaultTaskExecutionRole != nil {
|
|
return defaultTaskExecutionRole, nil
|
|
}
|
|
|
|
logrus.Debug("Retrieve Task Execution Role")
|
|
entities, err := c.IAM.ListEntitiesForPolicy(&iam.ListEntitiesForPolicyInput{
|
|
EntityFilter: aws.String("Role"),
|
|
PolicyArn: aws.String(ECSTaskExecutionPolicy),
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if len(entities.PolicyRoles) == 0 {
|
|
return nil, fmt.Errorf("no Role is attached to AmazonECSTaskExecutionRole Policy, please provide an explicit task execution role")
|
|
}
|
|
if len(entities.PolicyRoles) > 1 {
|
|
return nil, fmt.Errorf("multiple Roles are attached to AmazonECSTaskExecutionRole Policy, please provide an explicit task execution role")
|
|
}
|
|
|
|
role, err := c.IAM.GetRole(&iam.GetRoleInput{
|
|
RoleName: entities.PolicyRoles[0].RoleName,
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defaultTaskExecutionRole = role.Role.Arn
|
|
return role.Role.Arn, nil
|
|
}
|