prakhar1989/docker-curriculum

AWS Elastic Container Service permissions

behai-nguyen opened this issue · 0 comments

behai-nguyen commented

Thank you for such great Docker tutorial. I'm new to AWS also. I followed the tutorial to completion. Starting with "AWS Elastic Container Service" section, I ran into permission issues. It took several hours for me to figure them all out:

For example, with:

"C:\Program Files\Amazon\ECSCLI\ecs-cli.exe" up --keypair ecs --capability-iam --size 1 --instance-type t2.medium

FATA[0000] Error executing 'up': AccessDeniedException: User: arn:aws:iam::366004406550:user/behai-iam is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:ap-southeast-2::parameter/aws/service/ecs/optimized-ami/amazon-linux-2/recommended because no identity-based policy allows the ssm:GetParameter action
status code: 400, request id: f66824d0-80cb-49bb-9465-75671d4a5417

For behai-iam, I had to add several inline policies. I am listing them here:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ssm:PutParameter",
"ssm:DeleteParameter",
"ssm:GetParameterHistory",
"ssm:GetParametersByPath",
"ssm:GetParameters",
"ssm:GetParameter",
"ssm:DeleteParameters"
],
"Resource": "arn:aws:ssm:ap-southeast-2::parameter/*"
}
]
}

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks"
],
"Resource": "arn:aws:cloudformation:ap-southeast-2:366004406550:stack/amazon-ecs-cli-setup-foodtrucks/"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack"
],
"Resource": "arn:aws:cloudformation:ap-southeast-2:366004406550:stack/amazon-ecs-cli-setup-foodtrucks/",
"Condition": {
"IpAddress": {
"aws:SourceIp": ""
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack"
],
"Resource": "arn:aws:cloudformation:ap-southeast-2:366004406550:stack/amazon-ecs-cli-setup-foodtrucks/*"
}
]
}

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:ListRoles",
"iam:GetPolicy",
"iam:GetInstanceProfile",
"iam:GetPolicyVersion",
"iam:AttachRolePolicy"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::366004406550:role/*"
}
]
}

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"Condition": {
"ArnEquals": {
"ecs:cluster": "arn:aws:ecs:ap-southeast-2:366004406550:cluster/"
}
},
"Resource": [
"arn:aws:ecs:ap-southeast-2:366004406550:task-definition/"
]
}
]
}

Thank you and best regards.