Amazon ECS/AWS Fargate
These example templates show how AWS Step Functions generates IAM policies based on the resources in your
state machine definition. For more information, see:
Because the value for TaskId is not known until the task is submitted, Step Functions
creates a more privileged "Resource": "*" policy.
You can only stop Amazon Elastic Container Service (Amazon ECS) tasks that were started by Step Functions, despite the
"*" IAM policy.
- Run a Job (.sync)
-
Static resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"Resource": [
"arn:aws:ecs:[[region]]:
[[accountId]]:task-definition/[[taskDefinition]]"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:StopTask",
"ecs:DescribeTasks"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:[[region]]:
[[accountId]]:rule/StepFunctionsGetEventsForECSTaskRule"
]
}
]
}
Dynamic resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask",
"ecs:StopTask",
"ecs:DescribeTasks"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:[[region]]:
[[accountId]]:rule/StepFunctionsGetEventsForECSTaskRule"
]
}
]
}
- Request Response and Callback (.waitForTaskToken)
-
Static resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"Resource": [
"arn:aws:ecs:[[region]]:
[[accountId]]:task-definition/[[taskDefinition]]"
]
}
]
}
Dynamic resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"Resource": "*"
}
]
}
If your scheduled Amazon ECS tasks require the use of a task execution role, a task role, or a task role override, then you must add iam:PassRole permissions for each task
execution role, task role, or task role override to the CloudWatch Events IAM role of the calling entity, which in this case is Step Functions.
