Amazon Elastic Container Service
Developer Guide (API Version 2014-11-13)

Amazon ECS Service Auto Scaling IAM Role

Before you can use Service Auto Scaling with Amazon ECS, the Application Auto Scaling service needs permission to describe your CloudWatch alarms and registered services, as well as permission to update your Amazon ECS service's desired count on your behalf. These permissions are provided by the Service Auto Scaling IAM role (ecsAutoscaleRole).


IAM users also require permissions to use Service Auto Scaling; these permissions are described in Service Auto Scaling Required IAM Permissions. If an IAM user has the required permissions to use Service Auto Scaling in the Amazon ECS console, create IAM roles, and attach IAM role policies to them, then that user can create this role automatically as part of the Amazon ECS console create service or update service workflows, and then use the role for any other service later (in the console or with the AWS CLI or SDKs).

You can use the following procedure to check and see if your account already has Service Auto Scaling IAM role.

The AmazonEC2ContainerServiceAutoscaleRole policy is shown below.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeServices", "ecs:UpdateService" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm" ], "Resource": [ "*" ] } ] }

To check for the Service Auto Scaling role in the IAM console

  1. Open the IAM console at

  2. In the navigation pane, choose Roles.

  3. Search the list of roles for ecsAutoscaleRole. If the role does not exist, use the procedure below to create the role. If the role does exist, select the role to view the attached policies.

  4. Choose the Permissions tab.

  5. In the Permissions policies section, ensure that the AmazonEC2ContainerServiceAutoscaleRole managed policy is attached to the role. If the policy is attached, your Amazon ECS service role is properly configured. If not, follow the substeps below to attach the policy.

    1. Choose Attach policies.

    2. To narrow the available policies to attach, for Filter, type AmazonEC2ContainerServiceAutoscaleRole.

    3. Select the box to the left of the AmazonEC2ContainerAutoscaleRole policy and choose Attach policy.

  6. Choose Trust relationships, Edit trust relationship.

  7. Verify that the trust relationship contains the following policy. If the trust relationship matches the policy below, choose Cancel. If the trust relationship does not match, copy the policy into the Policy Document window and choose Update Trust Policy.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole" } ] }

To create an IAM role for Service Auto Scaling

  1. Open the IAM console at

  2. In the navigation pane, choose Roles and then choose Create role.

  3. In the Choose the service that will use this role section, choose Elastic Container Service.

  4. In the Select your use case section, choose Elastic Container Service Autoscale, Next: Permissions.

  5. For Add tags (optional), enter any key value tags you wish to add to the IAM role. Choose Next: Review when finished.

  6. In the Role name field, type ecsAutoscaleRole to name the role, and then choose Create Role to finish.