-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ECS drain hook can't change instance state to draining #3190
ECS drain hook can't change instance state to draining #3190
Comments
Thanks for reaching out @ScOut3R, we're looking into the issue and will get back to you with more information. |
UpdateContainerInstancesState and ListTasks need to be restricted to the containerInstance resource. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-supported-iam-actions-resources.html |
Thank you for pointing out the documentation! Looks like the ARN format defined in the documentation refers to the long ARN @pkandasamy91. The legacy format does not have the cluster name. UPDATE: |
…ions UpdateContainerInstanceState and ListTask APIs require permissions on a container-instance resource, rather than a cluster resource. This change updates the policy to: 1. remove the cluster as the resource restriction 2. add the cluster as a resource condition More info on ECS Resource-Level permissions can be found here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-supported-iam-actions-resources.html Fixes aws#3190
…ions UpdateContainerInstanceState and ListTask APIs require permissions on a container-instance resource, rather than a cluster resource. This change updates the policy to: 1. remove the cluster as the resource restriction 2. add the cluster as a resource condition More info on ECS Resource-Level permissions can be found here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-supported-iam-actions-resources.html Fixes aws#3190
UpdateContainerInstanceState and ListTask APIs require permissions on a container-instance resource, rather than a cluster resource. This change updates the policy to: 1. remove the cluster as the resource restriction 2. add the cluster as a resource condition More info on ECS Resource-Level permissions can be found here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-supported-iam-actions-resources.html Fixes aws#3190
@pkandasamy91 beat me to it :D |
UpdateContainerInstanceState and ListTask APIs require permissions on a container-instance resource, rather than a cluster resource. This change updates the policy to: 1. remove the cluster as the resource restriction 2. add the cluster as a resource condition More info on ECS Resource-Level permissions can be found here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-supported-iam-actions-resources.html Fixes aws#3190
UpdateContainerInstanceState and ListTask APIs require permissions on a container-instance resource, rather than a cluster resource. This change updates the policy to: 1. remove the cluster as the resource restriction 2. add the cluster as a resource condition More info on ECS Resource-Level permissions can be found here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-supported-iam-actions-resources.html Fixes aws#3190
UpdateContainerInstanceState and ListTask APIs require permissions on a container-instance resource, rather than a cluster resource. This change updates the policy to: 1. remove the cluster as the resource restriction 2. add the cluster as a resource condition More info on ECS Resource-Level permissions can be found here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-supported-iam-actions-resources.html Fixes #3190
@ScOut3R thanks for the feedback! Instead of using the resource arn (which would vary depending on if you opted into using long arns or not), we used the cluster as the condition key for restricting the scope of the permissions on ListTasks and UpdateContainerInstancesState actions. The fix has been merged in! |
The draining function's IAM policy does not provide enough permission to change the ECS instance state.
The
ecs:UpdateContainerInstancesState
permission is provided for the cluster ARN but the function needs to set the state on the instance which has a different ARN.What is the expected behavior (or behavior of feature suggested)?
The function should have access to the cluster instance to set the state.
What is the motivation / use case for changing the behavior or adding this feature?
The draining function can't set the instance to draining which defeats its sole purpose.
Please tell us about your environment:
The text was updated successfully, but these errors were encountered: