AWS IAM Permissions¶
Below are two default policies that you can use for ECS Deployer.
This policy is less restrictive, but will let you reuse a single role for all projects using the ECS Deployer.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnvInfoGathering",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"elasticloadbalancing:DescribeTargetGroups",
"logs:DescribeLogGroups",
"tag:GetResources",
"scheduler:ListSchedules"
],
"Resource": "*"
},
{
"Sid": "TaskDefinitions",
"Effect": "Allow",
"Action": [
"ecs:RegisterTaskDefinition",
"ecs:DeregisterTaskDefinition",
"ecs:ListTaskDefinitionFamilies",
"ecs:ListTaskDefinitions",
"ecs:DescribeTaskDefinition"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecs:DescribeTasks",
"ecs:DescribeServices",
"ecs:UpdateService",
"ecs:DeleteService",
"ecs:CreateService",
"ecs:RunTask"
],
"Resource": "*"
},
{
"Sid": "CronSetup",
"Effect": "Allow",
"Action": [
"scheduler:GetSchedule",
"scheduler:UpdateSchedule",
"scheduler:CreateSchedule",
"scheduler:DeleteSchedule",
"scheduler:GetScheduleGroup",
"scheduler:CreateScheduleGroup"
],
"Resource": "*"
},
{
"Sid": "ImportSSMParams",
"Effect": "Allow",
"Action": [
"ssm:GetParametersByPath"
],
"Resource": "*"
},
{
"Sid": "Logging",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:PutRetentionPolicy"
],
"Resource": "*"
},
{
"Sid": "TagManagement",
"Effect": "Allow",
"Action": [
"logs:TagLogGroup",
"ecs:TagResource",
"scheduler:TagResource"
],
"Resource": "*"
},
{
"Sid": "RolePassing",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringLike": {
"iam:PassedToService": [
"ecs-tasks.amazonaws.com",
"scheduler.amazonaws.com"
]
}
}
}
]
}
Grant (Trust Relationships)¶
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowFromGithubActions",
"Effect": "Allow",
"Action": "sts:AssumeRoleWithWebIdentity",
"Principal": {
"Federated": "arn:aws:iam::ACCOUNTID:oidc-provider/token.actions.githubusercontent.com"
},
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
},
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:YOUR_GITHUB_ORG/*"
}
}
}
]
}
Make sure to replace the placeholders!
These examples contain placeholders meant for you to replace with values for your environment. These are the placeholders:
REGION- The AWS region short code (us-east-1,us-west-2)ACCOUNTID- Your numerical AWS Account IDCLUSTER_NAME- Name of the ECS cluster specified forclusterPROJECT_NAME- Value ofprojectAPP_ROLE- Role you used forroleECS_EXECUTION_ROLE- Role you used forexecution_roleCRON_LAUNCHER_ROLE- Role you used forcron_launcher_role
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnvInfoGathering",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"elasticloadbalancing:DescribeTargetGroups",
"logs:DescribeLogGroups",
"tag:GetResources",
"scheduler:ListSchedules"
],
"Resource": "*"
},
{
"Sid": "TaskDefinitions",
"Effect": "Allow",
"Action": [
"ecs:RegisterTaskDefinition",
"ecs:DeregisterTaskDefinition",
"ecs:ListTaskDefinitionFamilies",
"ecs:ListTaskDefinitions",
"ecs:DescribeTaskDefinition"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ecs:DescribeTasks",
"ecs:DescribeServices"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"ecs:cluster": "arn:aws:ecs:REGION:ACCOUNTID:cluster/CLUSTER_NAME"
}
}
},
{
"Sid": "ServiceDeployment",
"Effect": "Allow",
"Action": [
"ecs:UpdateService",
"ecs:DeleteService"
],
"Resource": "arn:aws:ecs:REGION:ACCOUNTID:service/CLUSTER_NAME/PROJECT_NAME-*",
"Condition": {
"ArnEquals": {
"ecs:cluster": "arn:aws:ecs:REGION:ACCOUNTID:cluster/CLUSTER_NAME"
}
}
},
{
"Sid": "ServiceCreation",
"Effect": "Allow",
"Action": [
"ecs:CreateService"
],
"Resource": "arn:aws:ecs:REGION:ACCOUNTID:service/CLUSTER_NAME/PROJECT_NAME-*",
"Condition": {
"ArnEquals": {
"ecs:cluster": "arn:aws:ecs:REGION:ACCOUNTID:cluster/CLUSTER_NAME"
},
"StringEquals": {
"aws:RequestTag/ecsdeployer/project": [
"PROJECT_NAME"
]
}
}
},
{
"Sid": "ResourceTaggingECS",
"Effect": "Allow",
"Action": [
"ecs:TagResource"
],
"Resource": [
"arn:aws:ecs:REGION:ACCOUNTID:service/CLUSTER_NAME/PROJECT_NAME-*",
"arn:aws:ecs:REGION:ACCOUNTID:task-definition/PROJECT_NAME-*"
]
},
{
"Sid": "PreDeployTasks",
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"ecs:cluster": "arn:aws:ecs:REGION:ACCOUNTID:cluster/CLUSTER_NAME"
}
}
},
{
"Sid": "ImportSSMParams",
"Effect": "Allow",
"Action": [
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:*:*:parameter/ecsdeployer/secrets/PROJECT_NAME/*"
},
{
"Sid": "Logging",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:PutRetentionPolicy",
"logs:TagLogGroup"
],
"Resource": [
"arn:aws:logs:REGION:ACCOUNTID:log-group:/ecsdeployer/app/PROJECT_NAME*",
"arn:aws:logs:REGION:ACCOUNTID:log-group:/ecsdeployer/app/PROJECT_NAME*:*"
]
},
{
"Sid": "CronSetup",
"Effect": "Allow",
"Action": [
"scheduler:GetSchedule",
"scheduler:UpdateSchedule",
"scheduler:CreateSchedule",
"scheduler:DeleteSchedule"
],
"Resource": "arn:aws:scheduler:*:*:schedule/PROJECT_NAME/*"
},
{
"Sid": "CronSetupGroup",
"Effect": "Allow",
"Action": [
"scheduler:GetScheduleGroup",
"scheduler:CreateScheduleGroup"
],
"Resource": "*"
},
{
"Sid": "EcsPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::ACCOUNTID:role/APP_ROLE",
"arn:aws:iam::ACCOUNTID:role/ECS_EXECUTION_ROLE"
],
"Condition": {
"StringLike": {
"iam:PassedToService": [
"ecs-tasks.amazonaws.com"
]
}
}
},
{
"Sid": "CronPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::ACCOUNTID:role/CRON_LAUNCHER_ROLE"
],
"Condition": {
"StringLike": {
"iam:PassedToService": [
"scheduler.amazonaws.com"
]
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"Resource": "*"
},
{
"Sid": "RolePassing",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringLike": {
"iam:PassedToService": [
"ecs-tasks.amazonaws.com"
]
}
}
}
]
}
Grant (Trust Relationships)¶
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowFromScheduler",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "scheduler.amazonaws.com"
},
"Condition": {
"StringEquals": {
"aws:SourceAccount": "ACCOUNTID"
}
}
},
{
"Sid": "DeprecatedAllowFromEventbridge",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"Service": "events.amazonaws.com"
}
}
]
}