From bbaac2048c99c66795330a48b2b33a02d2983904 Mon Sep 17 00:00:00 2001
From: Massimo Re Ferre <massimo@it20.info>
Date: Tue, 10 Nov 2020 09:18:00 +0100
Subject: [PATCH] Added IAM roles/policies examples and re-ordered some of the
 text

Signed-off-by: Massimo Re Ferre <massimo@it20.info>
---
 docs/ecs-compose-examples.md | 71 ++++++++++++++++++++++++------------
 1 file changed, 48 insertions(+), 23 deletions(-)

diff --git a/docs/ecs-compose-examples.md b/docs/ecs-compose-examples.md
index 840f48b44..d708208a5 100644
--- a/docs/ecs-compose-examples.md
+++ b/docs/ecs-compose-examples.md
@@ -39,6 +39,32 @@ services:
           memory: 2048M
 ```
 
+###### IAM roles
+
+Assign an existing user role to a task:
+
+```yaml
+services:
+  test:
+    x-aws-policies:
+      - "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+```
+
+###### IAM policies
+
+Assign an in-line IAM policy to a task:
+
+```yaml
+services:
+  test:
+    x-aws-role:
+        Version: '2012-10-17'
+        Statement:
+        - Effect: Allow
+          Action: sqs:*
+          Resource: arn:aws:sqs:us-east-1:12345678:myqueue
+```
+
 ###### Logging
 Pass options to awslogs driver
 ```yaml
@@ -85,7 +111,7 @@ services:
 
 
 
-#### Load Balancers
+##### Load Balancers
 
 When a service in the compose file exposes a port, a load balancer is being created and configured to distribute the traffic between all containers.
 
@@ -189,6 +215,26 @@ volumes:
         provisioned_throughput: 1024
 ```
 
+## Networks
+
+Networks are mapped to security groups.
+```yaml
+services:
+  test:
+    image: nginx
+networks:
+  default:
+```
+Using an external network/security group:
+```yaml
+services:
+  test:
+    image: nginx
+networks:
+  default:
+    external: true
+    name: sg-123abc
+```
 
 ## Secrets
 Secrets are stored in __AWS SecretsManager__ as strings and are mounted to containers  under `/run/secrets/`.
@@ -221,6 +267,7 @@ secrets:
     external: true
 ```
 
+
 ## Access private images
 When a service is configured with an image from a private repository on Docker Hub, make sure you have configured pull credentials correctly before deploying the Compose stack.
 
@@ -250,25 +297,3 @@ services:
 
 
 
-
-#### Networks
-
-Networks are mapped to security groups.
-```yaml
-services:
-  test:
-    image: nginx
-networks:
-  default:
-```
-Using an external network/security group:
-```yaml
-services:
-  test:
-    image: nginx
-networks:
-  default:
-    external: true
-    name: sg-123abc
-```
-