Document required AWS permissions

Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
This commit is contained in:
Nicolas De Loof 2020-06-29 09:12:43 +02:00
parent ed262a0461
commit 5e1f40b752
No known key found for this signature in database
GPG Key ID: 9858809D6F8F6E7E
1 changed files with 31 additions and 0 deletions

31
ecs/docs/requirements.md Normal file
View File

@ -0,0 +1,31 @@
## Requirements
This plugin relies on AWS API credentials, using the same configuration files as
the AWS command line.
Such credentials can be configured by the `docker ecs setup` command, either by
selecting an existing AWS CLI profile from existing config files, or by creating
one passing an AWS access key ID and secret access key.
## Permissions
AWS accounts (or IAM roles) used with the ECS plugin require following permissions:
- ec2:DescribeSubnets
- ec2:DescribeVpcs
- iam:CreateServiceLinkedRole
- iam:AttachRolePolicy
- cloudformation:*
- ecs:*
- logs:*
- servicediscovery:*
- elasticloadbalancing:*
## Okta support
For those relying on [aws-okta](https://github.com/segmentio/aws-okta) to access a managed AWS account
(as we do at Docker), you can populate your aws config files with temporary access tokens using:
```shell script
aws-okta write-to-credentials <profile> ~/.aws/credentials
```