AWS Step Functions
Developer Guide

Amazon Elastic Container Service/Fargate

These example templates show how AWS Step Functions generates IAM policies based on the resources in your state machine definition. For more information see:

Since the value for TaskId is not known until the task is submitted, Step Functions creates a more privileged "Resource": "*" policy.

Note

You can only stop Amazon ECS tasks that were started by Step Functions, despite the "*" IAM policy.

SynchronousAsynchronous
Synchronous

Static resources:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask" ], "Resource": [ "arn:aws:ecs:[[region]]: [[accountId]]:task-definition/[[taskDefinition]]" ] }, { "Effect": "Allow", "Action": [ "ecs:StopTask", "ecs:DescribeTasks" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:[[region]]: [[accountID]]:rule/StepFunctionsGetEventsForECSTaskRule" ] } ] }

Dynamic resources:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask", "ecs:StopTask", "ecs:DescribeTasks" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:[[region]]: [[accountId]]:rule/StepFunctionsGetEventsForECSTaskRule" ] } ] }
Asynchronous

Static resources:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask" ], "Resource": [ "arn:aws:ecs:[[region]]: [[accountID]]:task-definition/[[taskDefinition]]" ] } ] }

Dynamic resources:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask" ], "Resource": "*" } ] }