(airflow) branch main updated: Fix documentation on IAM permissions for `EcsRunTaskOperator` (#36865)

Thu, 18 Jan 2024 08:15:36 -0800 

This is an automated email from the ASF dual-hosted git repository.

vincbeck pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new 2d330cb487 Fix documentation on IAM permissions for 
`EcsRunTaskOperator` (#36865)
2d330cb487 is described below

commit 2d330cb487c61ecc226daa58cb50ff46ee696e03
Author: Wouter ten Brink <65462362+wouter...@users.noreply.github.com>
AuthorDate: Thu Jan 18 17:15:24 2024 +0100

    Fix documentation on IAM permissions for `EcsRunTaskOperator` (#36865)
---
 .../operators/ecs.rst                              | 33 +++++++++++++++-------
 1 file changed, 23 insertions(+), 10 deletions(-)

diff --git a/docs/apache-airflow-providers-amazon/operators/ecs.rst 
b/docs/apache-airflow-providers-amazon/operators/ecs.rst
index 6e8e3f5409..2c4b3c7e7f 100644
--- a/docs/apache-airflow-providers-amazon/operators/ecs.rst
+++ b/docs/apache-airflow-providers-amazon/operators/ecs.rst
@@ -154,19 +154,32 @@ You need to ensure that you have the appropriate level of 
permissions (see next
 IAM Permissions
 """""""""""""""
 
-You need to ensure you have the following IAM permissions to run tasks via 
this operator.
-In this example, the operator will have permissions to run tasks on an ECS 
Cluster called "cluster a" in a specific AWS region and account.
+You need to ensure you have the following IAM permissions to run tasks via the 
EcsRunTaskOperator:
 
 .. code-block::
 
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ecs:RunTask",
-                "ecs:DescribeTasks"
-            ],
-            "Resource": : [ "arn:aws:ecs:{aws region}:{aws account 
number}:cluster/{custer a}"
-        }
+  {
+      "Effect": "Allow",
+      "Action": [
+          "ecs:RunTask",
+          "ecs:DescribeTasks",
+      ]
+      "Resource": [ "arn:aws:ecs:{aws region}:{aws account 
number}:task_definition/{task definition family}" ]
+  },
+  {
+      "Effect": "Allow",
+      "Action": [
+          "iam:PassRole"
+      ]
+      "Resource": [ "arn:aws:iam::{aws account number}:role/{task execution 
role name}" ]
+  },
+  {
+      "Effect": "Allow",
+      "Action": [
+        "ecs:DescribeTasks",
+      ],
+      "Resource": [ "arn:aws:ecs:{aws region}:{aws account number}:task/{ecs 
cluster name}/*" ]
+  }
 
 If you use the "reattach=True" (the default is False), you need to add further 
permissions.
 You need to add the following additional Actions to the IAM policy.

Reply via email to