Adding ecs:TagResource permission to IAM roles (#207)

aws-ia · May 2, 2024 · b544546 · b544546
1 parent 5c8971e
commit b544546
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 4 deletions.
diff --git a/cdk/examples/data_pipeline/python/lib/data_pipeline_roles.py b/cdk/examples/data_pipeline/python/lib/data_pipeline_roles.py
@@ -4,7 +4,8 @@
 
 def add_step_function_role_policies(stepfunctionExecutionRole:iam.Role, data_pipeline_stack_props: DataPipelineStackProps):
     stepfunctionExecutionRole.add_to_principal_policy(iam.PolicyStatement(
-        actions= ['ecs:RunTask'],
+        actions= ['ecs:RunTask',
+        "ecs:TagResource"],
         effect= iam.Effect.ALLOW,
         resources= ['arn:aws:ecs:'+data_pipeline_stack_props.aws_region+':'+data_pipeline_stack_props.account_number+':task-definition/*']
     ))

diff --git a/cdk/examples/data_pipeline/typescript/lib/data-pipeline-roles.ts b/cdk/examples/data_pipeline/typescript/lib/data-pipeline-roles.ts
@@ -2,7 +2,8 @@ import { Effect, ManagedPolicy, Policy, PolicyStatement, Role } from "aws-cdk-li
 
 export function addStepFunctionRolePolicies(account: String, region: String, stepFunctionExecutionRole: Role) {
     stepFunctionExecutionRole.addToPrincipalPolicy(new PolicyStatement({
-        actions:["ecs:RunTask"],
+        actions:["ecs:RunTask",
+        "ecs:TagResource"],
         effect: Effect.ALLOW,
         resources: [`arn:aws:ecs:${region}:${account}:task-definition/*`]
     }))

diff --git a/terraform/fargate-examples/queue-processing/main.tf b/terraform/fargate-examples/queue-processing/main.tf
@@ -360,7 +360,8 @@ data "aws_iam_policy_document" "lambda_role" {
       "ecs:DescribeTasks",
       "ecs:ListTasks",
       "ecs:StartTask",
-      "ecs:RunTask"
+      "ecs:RunTask",
+      "ecs:TagResource"
     ]
     resources = ["*"]
   }

diff --git a/terraform/fargate-examples/sqs-dynamic-target-tracking/main.tf b/terraform/fargate-examples/sqs-dynamic-target-tracking/main.tf
@@ -597,7 +597,8 @@ data "aws_iam_policy_document" "lambda_role" {
       "ecs:DescribeTasks",
       "ecs:ListTasks",
       "ecs:StartTask",
-      "ecs:RunTask"
+      "ecs:RunTask",
+      "ecs:TagResource"
     ]
     resources = ["*"]
   }