Why does creating a service in AWS ECS require the ecs:CreateService permission on all resources?

Question

I'm trying to create a service on AWS ECS, using CloudFormation. The user trying to create service has a role granting it the ecs:CreateService permission on the cluster that will host the service. However, the service fails to create with this error message:

User: (user ARN) is not authorized to perform: ecs:CreateService on resource: *

Why is this permission necessary, when I've specified the cluster I'm creating the service on?

score 3 · Accepted Answer · answered May 15 '18 at 21:22

3

The CreateService API does not support resource-level permissions. The APIs that support resource-level permissions are documented here.

answered May 15 '18 at 21:22

Samuel Karp

766
5
8

Why does creating a service in AWS ECS require the ecs:CreateService permission on all resources?

1 Answers1