ECS Cluster Role not longer authorized to run cfn scripts

[kgorskowski]

Ok, I don't know what happened, but I am planning a service based on this reference infrastructure and as of yesterday it worked like a charm.
But today the Initialization via CloudFormation stopped working at all. The Autoscaling Instances that make up the ECS Cluster seem not longer be authorized to send signals to CloudFormation. So instead of adding itself to the cluster they remain in the "default" cluster and the stack creation fails/times out. The managed role

AmazonEC2ContainerServiceforEC2Role

seem no longer be able to perform the necessary actions.
Dont know how to quickly fix that, just wanted to leave it here. The system log of the instances look like this

AccessDenied: User: arn:aws:sts::$AccountId:assumed-role/ecs-cluster-ECSRole-1U3Z9R13GFRX6/$InstanceId is not authorized to perform: cloudformation:DescribeStackResource on resource: arn:aws:cloudformation:eu-west-1:$AccountID:stack/ecs-cluster/*
AccessDenied: User: arn:aws:sts::$AccountId:assumed-role/ecs-cluster-ECSRole-1U3Z9R13GFRX6/$InstanceId is not authorized to perform: cloudformation:SignalResource on resource: arn:aws:cloudformation:eu-west-1:$AccountID:stack/ecs-cluster/*

Ok, just fyi I fixed it for now by adding an explicit access policy to cloudformation to the ECSRole with this configuration. Thats probably not following the "minimal permissions" policy but it works for now. I read the docs like that cfn-init and co would have automatic access to their respective stacks.

cloudformationAccessRole:
Type: AWS::IAM::Policy
Properties:
PolicyName: !Sub "${AWS::StackName}-cfn"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "cloudformation:DescribeStackResource"
- "cloudformation:SignalResource"
Resource:
- "*"
Roles:
- !Ref ECSRole

[jpignata]

Hmm, I'm a little confused, are you using that ECS role in your CodePipeline pipeline?