AWS IAM permission required to launch tasks into ECS

Question

AWS IAM permission required to launch tasks into ECS

Closed this issue 3 years ago · 2 comments

Hi, me again!

So I have got the dockerised ecs-scheduler running as a service in ECS and am trying to launch a task definition on a schedule.

I can run the task definition manually no problem, but am having a few issues with the permissions. I can work through the errors, but was wondering whether you had stored a list of required permissions? It would expedite things for me :)

My current permissions are:

      policy_tf_expr = {
        "Version" : "2012-10-17",
        "Statement" : [
          {
            "Sid" : "VisualEditor0",
            "Effect" : "Allow",
            "Action" : [
              "ecs:SubmitTaskStateChange",
              "ecs:PutAttributes",
              "ecs:ListAttributes",
              "ecs:ExecuteCommand",
              "ecs:UpdateContainerInstancesState",
              "ecs:StartTask",
              "ecs:DescribeTaskSets",
              "ecs:DeleteTaskSet",
              "ecs:DescribeClusters",
              "ecs:SubmitAttachmentStateChanges",
              "ecs:Poll",
              "ecs:ListTagsForResource",
              "ecs:RunTask",
              "ecs:ListTasks",
              "ecs:SubmitContainerStateChange",
              "ecs:ListContainerInstances",
              "ecs:DescribeContainerInstances",
              "ecs:DeregisterContainerInstance",
              "ecs:TagResource",
              "ecs:UntagResource",
              "ecs:UpdateTaskSet"
            ],
            "Resource" : [
              "arn:aws:ecs:eu-west-1:*:task-set/devops-release-kraken/*/*",
              "arn:aws:ecs:eu-west-1:*:cluster/devops-release-kraken",
              "arn:aws:ecs:eu-west-1:*:container-instance/*",
              "arn:aws:ecs:eu-west-1:*:task-definition/devops-release-kraken-td:*"
            ]
          },
          {
            "Sid" : "VisualEditor1",
            "Effect" : "Allow",
            "Action" : [
              "ecs:DeregisterTaskDefinition",
              "ecs:ListServices",
              "ecs:DiscoverPollEndpoint",
              "ecs:ListTaskDefinitionFamilies",
              "ecs:RegisterTaskDefinition",
              "ecs:ListTaskDefinitions",
              "ecs:DescribeTaskDefinition",
              "ecs:ListClusters"
            ],
            "Resource" : "*"
          },
          {
            "Sid" : "VisualEditor2",
            "Effect" : "Allow",
            "Action" : [
              "iam:CreateServiceLinkedRole",
              "iam:UpdateRoleDescription"
            ]
            "Resource" : "arn:aws:iam::*:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS*",
            "Condition" : {
              "StringLike" : {
                "iam:AWSServiceName" : "ecs.amazonaws.com"
              }
            }
          },
          {
            "Sid" : "VisualEditor3",
            "Effect" : "Allow",
            "Action" : [
              "iam:PassRole"
            ]
            "Resource" : "arn:aws:iam::*:role/*",
          }
        ]
      }

Many thanks!

Best

Answer 1 · 2021-09-14T20:42:13.000Z

all ECS interaction is in one module https://github.com/drmonkeysee/ecs-scheduler/blob/adb2b7b906b3d3139cad072f74e9cc70e960ddbb/ecs_scheduler/scheduld/execution.py

looking at usage of self._ecs the only interactions are "list tasks", "describe tasks", and "run task". i'm not sure exactly which IAM roles those map to exactly, you'll have to consult the AWS API documentation.

Answer 2 · 2021-09-15T11:24:27.000Z

that's great! many thanks :)