fix: add missing ecs:TagResource permission for ECS tasks (serverless-operations#657)

renanwilliam · claude · olivier-Attestis · commit 115ddf605585 · 2025-11-14T13:01:41.000+01:00
When using serverless-step-functions to deploy ECS tasks with tags, the auto-generated IAM policies were missing the ecs:TagResource permission. This caused Step Functions executions to fail with an AccessDeniedException when attempting to tag ECS tasks. This commit adds the ecs:TagResource permission to the getEcsPermissions function, allowing ECS tasks to be properly tagged during execution. Fixes serverless-operations#656 🤖 Generated with [Claude Code](https://claude.ai/code) Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js
@@ -194,7 +194,7 @@ function getGluePermissions() {
 
 function getEcsPermissions() {
   return [{
-    action: 'ecs:RunTask,ecs:StopTask,ecs:DescribeTasks,iam:PassRole',
+    action: 'ecs:RunTask,ecs:StopTask,ecs:DescribeTasks,ecs:TagResource,iam:PassRole',
     resource: '*',
   }, {
     action: 'events:PutTargets,events:PutRule,events:DescribeRule',
diff --git a/lib/deploy/stepFunctions/compileIamRole.test.js b/lib/deploy/stepFunctions/compileIamRole.test.js
@@ -1651,7 +1651,7 @@ describe('#compileIamRole', () => {
       .provider.compiledCloudFormationTemplate.Resources.StateMachine1Role
       .Properties.Policies[0].PolicyDocument.Statement;
 
-    const ecsPermissions = statements.filter(s => _.isEqual(s.Action, ['ecs:RunTask', 'ecs:StopTask', 'ecs:DescribeTasks', 'iam:PassRole']));
+    const ecsPermissions = statements.filter(s => _.isEqual(s.Action, ['ecs:RunTask', 'ecs:StopTask', 'ecs:DescribeTasks', 'ecs:TagResource', 'iam:PassRole']));
     expect(ecsPermissions).to.have.lengthOf(1);
     expect(ecsPermissions[0].Resource).to.equal('*');
 
@@ -2694,7 +2694,7 @@ describe('#compileIamRole', () => {
     const expectation = (policy, lambdaArns, sns, sqsArn) => {
       const statements = policy.PolicyDocument.Statement;
 
-      const ecsPermissions = statements.filter(s => _.isEqual(s.Action, ['ecs:RunTask', 'ecs:StopTask', 'ecs:DescribeTasks', 'iam:PassRole']));
+      const ecsPermissions = statements.filter(s => _.isEqual(s.Action, ['ecs:RunTask', 'ecs:StopTask', 'ecs:DescribeTasks', 'ecs:TagResource', 'iam:PassRole']));
       expect(ecsPermissions).to.have.lengthOf(1);
       expect(ecsPermissions[0].Resource).to.equal('*');
 
