This is an automated email from the ASF dual-hosted git repository. vincbeck pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push: new 2d330cb487 Fix documentation on IAM permissions for `EcsRunTaskOperator` (#36865) 2d330cb487 is described below commit 2d330cb487c61ecc226daa58cb50ff46ee696e03 Author: Wouter ten Brink <65462362+wouter...@users.noreply.github.com> AuthorDate: Thu Jan 18 17:15:24 2024 +0100 Fix documentation on IAM permissions for `EcsRunTaskOperator` (#36865) --- .../operators/ecs.rst | 33 +++++++++++++++------- 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/docs/apache-airflow-providers-amazon/operators/ecs.rst b/docs/apache-airflow-providers-amazon/operators/ecs.rst index 6e8e3f5409..2c4b3c7e7f 100644 --- a/docs/apache-airflow-providers-amazon/operators/ecs.rst +++ b/docs/apache-airflow-providers-amazon/operators/ecs.rst @@ -154,19 +154,32 @@ You need to ensure that you have the appropriate level of permissions (see next IAM Permissions """"""""""""""" -You need to ensure you have the following IAM permissions to run tasks via this operator. -In this example, the operator will have permissions to run tasks on an ECS Cluster called "cluster a" in a specific AWS region and account. +You need to ensure you have the following IAM permissions to run tasks via the EcsRunTaskOperator: .. code-block:: - { - "Effect": "Allow", - "Action": [ - "ecs:RunTask", - "ecs:DescribeTasks" - ], - "Resource": : [ "arn:aws:ecs:{aws region}:{aws account number}:cluster/{custer a}" - } + { + "Effect": "Allow", + "Action": [ + "ecs:RunTask", + "ecs:DescribeTasks", + ] + "Resource": [ "arn:aws:ecs:{aws region}:{aws account number}:task_definition/{task definition family}" ] + }, + { + "Effect": "Allow", + "Action": [ + "iam:PassRole" + ] + "Resource": [ "arn:aws:iam::{aws account number}:role/{task execution role name}" ] + }, + { + "Effect": "Allow", + "Action": [ + "ecs:DescribeTasks", + ], + "Resource": [ "arn:aws:ecs:{aws region}:{aws account number}:task/{ecs cluster name}/*" ] + } If you use the "reattach=True" (the default is False), you need to add further permissions. You need to add the following additional Actions to the IAM policy.