AWS Elastic Container Service permissions

[behai-nguyen]

Thank you for such great Docker tutorial. I'm new to AWS also. I followed the tutorial to completion. Starting with "AWS Elastic Container Service" section, I ran into permission issues. It took several hours for me to figure them all out:

For example, with:

"C:\Program Files\Amazon\ECSCLI\ecs-cli.exe" up --keypair ecs --capability-iam --size 1 --instance-type t2.medium

FATA[0000] Error executing 'up': AccessDeniedException: User: arn:aws:iam::366004406550:user/behai-iam is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:ap-southeast-2::parameter/aws/service/ecs/optimized-ami/amazon-linux-2/recommended because no identity-based policy allows the ssm:GetParameter action status code: 400, request id: f66824d0-80cb-49bb-9465-75671d4a5417

For behai-iam, I had to add several inline policies. I am listing them here:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ssm:PutParameter", "ssm:DeleteParameter", "ssm:GetParameterHistory", "ssm:GetParametersByPath", "ssm:GetParameters", "ssm:GetParameter", "ssm:DeleteParameters" ], "Resource": "arn:aws:ssm:ap-southeast-2::parameter/*" } ] }

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStacks" ], "Resource": "arn:aws:cloudformation:ap-southeast-2:366004406550:stack/amazon-ecs-cli-setup-foodtrucks/" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack" ], "Resource": "arn:aws:cloudformation:ap-southeast-2:366004406550:stack/amazon-ecs-cli-setup-foodtrucks/", "Condition": { "IpAddress": { "aws:SourceIp": "<my own IP address>" } } }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack" ], "Resource": "arn:aws:cloudformation:ap-southeast-2:366004406550:stack/amazon-ecs-cli-setup-foodtrucks/*" } ] }

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:CreateRole", "iam:PutRolePolicy", "iam:CreateInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:ListRoles", "iam:GetPolicy", "iam:GetInstanceProfile", "iam:GetPolicyVersion", "iam:AttachRolePolicy" ], "Effect": "Allow", "Resource": "arn:aws:iam::366004406550:role/*" } ] }

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask" ], "Condition": { "ArnEquals": { "ecs:cluster": "arn:aws:ecs:ap-southeast-2:366004406550:cluster/" } }, "Resource": [ "arn:aws:ecs:ap-southeast-2:366004406550:task-definition/" ] } ] }

Thank you and best regards.