aws lambda function can't update ecs service

When trying to update_service of a ecs service using python boto3, i got the error is like this:

> An error occurred (AccessDeniedException) when calling the UpdateService operation: User: arn:aws:sts::xxx:assumed-role/infra-conductors/infra-conductors is not authorized to perform: iam:PassRole on resource: arn:aws:iam::xxx:role/ecs/ecsTaskExecutionRole-test with an explicit deny in a service control policy

but i've already added permissions and trust policy to this lambda:

{
        "Action": [
            "iam:PassRole"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:iam::xxx:role/ecs/ecsTaskExecutionRole-test"
        ],
        "Sid": "test"
    },

and,

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
            "Service": [
                "lambda.amazonaws.com",
                "ecs.amazonaws.com",
                "ecs-tasks.amazonaws.com"
            ]
        },
        "Action": "sts:AssumeRole"
    }
]

}

BTW, i attached other permissions to this lambda, and it can reboot a ecs service or change the desiredCount, but when i trying to change the taskdef, i got this error.

The error says that it was denied with an explicit deny. This means, that somewhere, there is a policy that explicitly denies what you are trying to do. Since deny statement always takes precedence over any allow, first you have to find the policy with the deny and remove the deny.