Permissions required for the Amazon ECS console - Amazon Elastic Container Service

Permissions required for the Amazon ECS console

Following the best practice of granting least privilege, you can use the AmazonECS_FullAccess managed policy as a template for creating you own custom policy. That way, you can take away or add permissions to and from the managed policy based on your specific requirements. For more information, see see AmazonECS_FullAccess in the AWS Managed Policy Reference.

Permissions for creating IAM roles

The following actions require additional permissions in order to complete the operation:

You can add these permissions by creating a role in IAM before you use them in the Amazon ECS console. If you do not create the roles, the Amazon ECS console creates then on your behalf.

Permissions required for registering an external instance to a cluster

You need additional permissions when you register an external instance to a cluster and you want to create a new external instance (ecsExternalInstanceRole) role.

The following additional permissions are required:

  • iam– Allows principals to create and list IAM roles and their attached policies.

  • ssm – Allows principals to register the external instance with Systems Manager.

Note

In order to choose an existing ecsExternalInstanceRole, you must have the iam:GetRole and iam:PassRole permissions.

The following policy contains the required permissions, and limits the actions to the ecsExternalInstanceRole role.

{ "Statement": [ { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:CreateInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:ListInstanceProfilesForRole", "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/ecsExternalInstanceRole" }, { "Effect": "Allow", "Action": ["iam:PassRole","ssm:CreateActivation"], "Resource": "arn:aws:iam::*:role/ecsExternalInstanceRole" } ] }

Permissions required for registering a task definition

You need additional permissions when you register a task definition and you want to create a new task execution (ecsTaskExecutionRole) role.

The following additional permissions are required:

  • iam– Allows principals to create and list IAM roles and their attached policies.

Note

In order to choose an existing ecsTaskExecutionRole, you must have the iam:GetRole permission.

The following policy contains the required permissions, and limits the actions to the ecsTaskExecutionRole role.

{ "Statement": [ { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:GetRole" ], "Resource": "arn:aws:iam::*:role/ecsTaskExecutionRole" } ] }

Permissions required for creating an EventBridge rule for scheduled tasks

You need additional permissions when you schedule a task and you want to create a new CloudWatch Events role (ecsEventsRole) role.

The following additional permissions are required:

  • iam– Allows principals to create and list IAM roles and their attached policies, and to allow Amazon ECS to pass the role to other services to assume the role.

Note

In order to choose an existing ecsEventsRole, you must have the iam:GetRole and iam:PassRole permissions.

The following policy contains the required permissions, and limits the actions to the ecsEventsRole role.

{ "Statement": [ { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:GetRole", "iam: PassRole" ], "Resource": "arn:aws:iam::*:role/ecsEventsRole" } ] }

Permissions required for viewing service deployments

When you follow the best practice of granting least privilege, you need to add additional permssions in order to view service deployments in the console.

You need access to the following actions:

  • ListServiceDeployments

  • DescribeServiceDeployments

  • DescribeServiceRevisions

You need access to the following resources:

  • Service

  • Service deployment

  • Service revision

The following example policy contains the required permissions, and limits the actions to a specified service.

Replace the account, cluster-name, and service-name with your values.

{ "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ListServiceDeployments", "ecs:DescribeServiceDeployments", "ecs:DescribeServiceRevisions" ], "Resource": [ "arn:aws:ecs:us-east-1:123456789012:service/cluster-name/service-name", "arn:aws:ecs:us-east-1:123456789012:service-deployment/cluster-name/service-name/*", "arn:aws:ecs:us-east-1:123456789012:service-revision/cluster-name/service-name/*" ] } ] }