Amazon Elastic Container Service/Fargate
These example templates show how AWS Step Functions generates IAM policies based on the resources in your state machine definition. For more information see:
Since the value for TaskId is not known
until the task is submitted, Step Functions creates a more privileged "Resource":
"*" policy.
Note
You can only stop Amazon ECS tasks that were started by Step Functions, despite the
"*" IAM policy.
- Synchronous
-
Static resources:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask" ], "Resource": [ "arn:aws:ecs:[[region]]:[[accountId]]:task-definition/[[taskDefinition]]" ] }, { "Effect": "Allow", "Action": [ "ecs:StopTask", "ecs:DescribeTasks" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:[[region]]:[[accountID]]:rule/StepFunctionsGetEventsForECSTaskRule" ] } ] }Dynamic resources:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask", "ecs:StopTask", "ecs:DescribeTasks" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:[[region]]:[[accountId]]:rule/StepFunctionsGetEventsForECSTaskRule" ] } ] } - Asynchronous
-
Static resources:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask" ], "Resource": [ "arn:aws:ecs:[[region]]:[[accountID]]:task-definition/[[taskDefinition]]" ] } ] }Dynamic resources:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask" ], "Resource": "*" } ] }
