Amazon Elastic Container Service/AWS Fargate
These example templates show how AWS Step Functions generates IAM policies based on the resources in your state machine definition. For more information, see:
Because the value for TaskId is not known until the task is submitted, Step Functions
creates a more privileged "Resource": "*" policy.
Note
You can only stop Amazon ECS tasks that were started by Step Functions, despite the
"*" IAM policy.
- Synchronous
-
Static resources
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask" ], "Resource": [ "arn:aws:ecs:[[region]]:[[accountId]]:task-definition/[[taskDefinition]]" ] }, { "Effect": "Allow", "Action": [ "ecs:StopTask", "ecs:DescribeTasks" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:[[region]]:[[accountId]]:rule/StepFunctionsGetEventsForECSTaskRule" ] } ] }Dynamic resources
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask", "ecs:StopTask", "ecs:DescribeTasks" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:[[region]]:[[accountId]]:rule/StepFunctionsGetEventsForECSTaskRule" ] } ] } - Asynchronous
-
Static resources
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask" ], "Resource": [ "arn:aws:ecs:[[region]]:[[accountId]]:task-definition/[[taskDefinition]]" ] } ] }Dynamic resources
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask" ], "Resource": "*" } ] }
