ECS: Task role default policies race condition

[automartin5000]

What is the problem?

The "Default" task role policy for an ECS Task Definition is automatically created separately from the actual IAM Role. However, there's no explicit "DependsOn" so that the creation of the Task Definition has to wait for the inline policy to be added to the role. Under normal circumstances, this might be fine for Fargate Services, as the inline policy appears to "beat" the Fargate services to creation. However, in my case, I'm trying to execute the Task Definition as soon as it's created (via a Custom Resource and Step Functions) and my execution start of my state machine keeps beating the inline policy :)

There's also no way to reference the inline policy resource that's created to add an explicit dependency to the task definition on the policy.

Reproduction Steps

Try to run a task definition before the CloudFormation Stack has a chance to complete

What did you expect to happen?

Task execution completes successfully

What actually happened?

Task execution fails due to missing policies

CDK CLI Version

2.8.0 (build 8a5eb49)

Framework Version

No response

Node.js Version

v16.13.2

OS

Mac OS 12.1

Language

Python

Language Version

No response

Other information

I don't see why the L2 Task Definition Construct wouldn't always just have an explicit dependency on its managed policy. In the absence of that, allowing grants to a managed policy would also solve this.

[automartin5000]

Solved with .add_dependency(task_role.node.find_child("DefaultPolicy")), but I still think this is a bug. Just kidding, circular dependency error. The circular dependency was on my side, this workaround did fix it.

[madeline-k]

Thanks for opening this detailed issue and providing a workaround, @automartin5000! I agree with you, we should fix this. But triaging it as a p2 for now, which means we will not be able to prioritize implementation right now.

We are always open to contributions! If you are interested, check out the guide to get started.

[github-actions]

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[related-issues-bot-for-aws]

Hi @automartin5000,

Thanks for opening this issue! After reviewing the details, we found some other discussions that may be duplicates or closely related:

Potential Duplicate Issues

• aws-ecs: Race condition in Ec2Service & FargateService between updating the TaskRole default policy and the CfnService #24880: This issue describes the same race condition where IAM task role policies aren't established before ECS resources need them. While the current issue focuses on executing tasks immediately via Custom Resource and Step Functions, this issue focuses on services starting up without permissions. Both share identical root cause - lack of explicit dependency between task role policies and resources that use them. The issue was resolved by PR fix(ecs): potential race condition on TaskRole default policy update with CfnService #26070 which added dependencies to ensure the TaskRole and its policies are updated before the service. (Resolved by PR fix(ecs): potential race condition on TaskRole default policy update with CfnService #26070: fix(ecs): potential race condition on TaskRole default policy update with CfnService)

Related Issues

• aws-ecs: Race condition in Ec2Service & FargateService between updating the TaskRole default policy and the CfnService #24880: This issue describes the same race condition where IAM task role policies aren't established before ECS resources need them. While the current issue focuses on executing tasks immediately via Custom Resource and Step Functions, this issue focuses on services starting up without permissions. Both share identical root cause - lack of explicit dependency between task role policies and resources that use them. The issue was resolved by PR fix(ecs): potential race condition on TaskRole default policy update with CfnService #26070 which added dependencies to ensure the TaskRole and its policies are updated before the service.

• (aws-ecs): Fargate deployment role permissions are not set until the end of the deployment #16247: This issue describes a similar race condition in ECS Fargate where deployment role permissions aren't available when needed during deployment. Both issues involve timing problems with IAM policies for ECS tasks - in the current issue, task execution fails when started immediately after creation, while in this issue, Fargate deployment fails when attempting to pull from ECR because permissions aren't ready. Both stem from missing dependencies between IAM policy attachments and resources that need those permissions.

• iam: need a well-supported way to depend on added permissions #7236: This issue relates to the same fundamental problem but in Kinesis/Firehose contexts rather than ECS. Both issues describe the CloudFormation race condition pattern where resources are created before their required IAM permissions are fully attached. Both issues demonstrate the same pattern - AWS resources failing because they're created/executed before the IAM policies they depend on are fully established, and both require proper dependency chains between resources and their IAM permissions.

This message was generated automatically to help connect related conversations and improve discoverability.

If you feel this issue brings new or distinct information, feel free to add a comment to keep it open. Otherwise, we'll close this issue in 7 days if we don't recieve a response to help keep discussions consolidated.

Please react with 👍 or 👎 to let us know if this response was helpful!

Thank you for helping improve CDK! 🙌