Invalid ARN Format in IAM Policy Creation for ECS Platform #3640
Description
Bug Report: Invalid ARN Format in IAM Policy Creation for ECS Platform
Version info:
artillery 2.0.26
node v22.13.0
Running this command:
npx artillery run-fargate --region ap-northeast-1 --count 1 tests/artillery_test.ts
I expected to see this happen:
The command should successfully create the required IAM resources (artilleryio-ecs-worker-role and artilleryio-ecs-worker-policy) and proceed with the load test execution on AWS ECS Fargate.
Instead, this happened:
The command fails during IAM policy creation with the following errors:
1. First error (SSM resource):
MalformedPolicyDocumentException: Partition "ssm" is not valid for resource "arn:ssm:*:xxxxxxxxxxxxxx:parameter/artilleryio/*:*"
2. After fixing SSM, second error (CloudWatch Logs resource):
MalformedPolicyDocumentException: Partition "logs" is not valid for resource "arn:logs:*:xxxxxxxxxxxxxx:log-group:artilleryio-log-group*:*"
Result: The IAM role (artilleryio-ecs-worker-role) is created successfully, but the policy (artilleryio-ecs-worker-policy) fails to create, preventing the test from running.
Root Cause:
In node_modules/artillery/lib/platform/aws-ecs/ecs.js, the createWorkerRole function (line 138) is a standalone function, not a class method. However, it references this.arnPrefx when building IAM policy ARNs (lines 199, 205, 211-212):
async function createWorkerRole(accountId, taskRoleName) {
// ...
const policyDocument = {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: ['logs:*'],
Resource: [
`${this.arnPrefx}:logs:*:${accountId}:log-group:artilleryio-log-group*:*` // ❌ this.arnPrefx is undefined
]
},
{
Effect: 'Allow',
Action: ['sqs:*'],
Resource: [`${this.arnPrefx}:sqs:*:${accountId}:artilleryio*`] // ❌ this.arnPrefx is undefined
},
{
Effect: 'Allow',
Action: ['s3:*'],
Resource: [
`${this.arnPrefx}:s3:::${S3_BUCKET_NAME_PREFIX}-${accountId}`, // ❌ this.arnPrefx is undefined
`${this.arnPrefx}:s3:::${S3_BUCKET_NAME_PREFIX}-${accountId}/*` // ❌ this.arnPrefx is undefined
]
}
]
};
}Since this is undefined in this context, the ARNs become malformed:
-
arn:ssm:*:...instead ofarn:aws:ssm:*:... -
arn:logs:*:...instead ofarn:aws:logs:*:...
- etc.
Evidence:
the same issue exists in other resources (logs, sqs, s3) on lines 199, 205, 211-212. The issue can be resolved by adding this.arnPrefx = 'arn:aws'; at the beginning of the createWorkerRole function:
async function createWorkerRole(accountId, taskRoleName) {
this.arnPrefx = 'arn:aws'; // ← Add this line to fix the undefined reference
const iam = new IAMClient({ region: global.artillery.awsRegion });
// ... rest of the function
}This workaround allows the existing template string references (${this.arnPrefx}:logs:*:..., etc.) to work correctly.
Suggested Fix:
Either:
1. Pass arnPrefx as a parameter to the createWorkerRole function
2. Use arn:aws directly (hardcoded) for all resources, similar to the SSM workaround
3. Make createWorkerRole a method of the PlatformECS class to maintain proper this context
Environment:
- OS: Windows 10
- Region: ap-northeast-1
- AWS Profile: Using SSO authentication