Minimal Deploy IAM Policy

The IAM user you use to run the ufo ship command needs a minimal set of IAM policies in order to deploy to ECS. Here is a table of the baseline services needed:

Service	Description
CloudFormation	To create the CloudFormation stack that then creates the most of the AWS resources that Ufo creates like ECS service and the ELB.
EC2	To describe subnets associated with VPC. Used to configured subnets to use for ECS tasks and ELBs.
ECR	To pull and push to the ECR registry. If you’re using DockerHub this permission is not required.
ECS	To create ECS service, task definitions, etc.
ElasticloadBalancing	To create the ELB and related load balancing resoures like Listeners and Target Groups.
ElasticloadBalancingV2	To create the ELB and related load balancing resoures like Listeners and Target Groups.
Logs	To write to CloudWatch Logs.
Route53	To create vanity DNS endpoint when using Route53 setting.

Instructions

It is recommended that you create an IAM group and associate it with the IAM users that need access to use ufo ship. Here are starter instructions and a policy that you can tailor for your needs:

Commands Summary

Here’s a summary of the commands:

aws iam create-group --group-name Ufo
cat << 'EOF' > /tmp/ecs-deploy-policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudformation:*",
                "ec2:*",
                "ecr:*",
                "ecs:*",
                "elasticloadbalancing:*",
                "elasticloadbalancingv2:*",
                "logs:*",
                "route53:*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "iam:PassRole"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": [
                        "ecs-tasks.amazonaws.com"
                    ]
                }
            }
        }
    ]
}
EOF
aws iam put-group-policy --group-name Ufo --policy-name UfoPolicy --policy-document file:///tmp/ecs-deploy-policy.json

Then create a user and add the user to IAM group. Here’s an example:

aws iam create-user --user-name tung
aws iam add-user-to-group --user-name tung --group-name Ufo

CodeBuild IAM Role

If you are using CodeBuild to deploy, you’ll probably be interested the IAM policy for the CodeBuild project: CodeBuild IAM Role

ECS Task IAM Policy vs User Deploy IAM Policy

This page refers to your user IAM policy used when running ufo ship. These are different from the IAM Policies associated with ECS Task. For those iam policies refer to IAM Roles for Tasks .

Back Next Step

Pro tip: Use the <- and -> arrow keys to move back and forward.

Edit this page

See a typo or an error? You can improve this page. This website is available on GitHub and contributions are encouraged and welcomed. We love pull requests from you!

Suggest an edit to this page (here's the contributing guide).
Open an issue about this page to report a problem.

Quick Start: Fargate
Quick Start: EC2
Installation
Tutorial
Docs
- Structure
- Settings
  - AWS Profile
  - Cfn
  - Cluster
  - Security Groups
  - Network
- Shared Variables
- Helpers
- Secrets
- IAM Roles
- Conventions
- Ufo Logs
- Ufo Env
- Ufo Env Extra
- Ufo Current
- Ufo Task Params
Extras
Upgrading
More