Merge pull request #12251 from ollypom/ecs-iam-permissions

Added Additional IAM Permissions for ECS

cloud/ecs-integration.md

@@ -45,31 +45,45 @@ AWS uses a fine-grained permission model, with specific role for each resource t
 
 To ensure that Docker ECS integration is allowed to manage resources for your Compose application, you have to ensure your AWS credentials [grant access to following AWS IAM permissions](https://aws.amazon.com/iam/features/manage-permissions/):
 
+* application-autoscaling:*
 * cloudformation:*
-* ecs:ListAccountSettings
+* ec2:AuthorizeSecurityGroupIngress
+* ec2:CreateSecurityGroup
+* ec2:CreateTags
+* ec2:DeleteSecurityGroup
+* ec2:DescribeRouteTables
+* ec2:DescribeSecurityGroups
+* ec2:DescribeSubnets
+* ec2:DescribeVpcs
+* ec2:RevokeSecurityGroupIngress
 * ecs:CreateCluster
 * ecs:CreateService
-* ec2:DescribeVpcs
-* ec2:DescribeSubnets
-* ec2:CreateSecurityGroup
-* ec2:DescribeSecurityGroups
-* ec2:DeleteSecurityGroup
-* iam:CreateRole
-* iam:AttachRolePolicy
-* iam:DetachRolePolicy
-* iam:DeleteRole
+* ecs:DeleteCluster
+* ecs:DeleteService
+* ecs:DeregisterTaskDefinition
+* ecs:DescribeClusters
+* ecs:DescribeServices
+* ecs:DescribeTasks
+* ecs:ListAccountSettings
+* ecs:ListTasks
+* ecs:RegisterTaskDefinition
+* ecs:UpdateService
 * elasticloadbalancing:*
-* application-autoscaling:*
-* servicediscovery:*
+* iam:AttachRolePolicy
+* iam:CreateRole
+* iam:DeleteRole
+* iam:DetachRolePolicy
+* iam:PassRole
 * logs:CreateLogGroup
+* logs:DeleteLogGroup
 * logs:DescribeLogGroups
 * logs:FilterLogEvents
-* logs:DeleteLogGroup
 * route53:CreateHostedZone
 * route53:DeleteHostedZone
 * route53:GetHealthCheck
 * route53:GetHostedZone
 * route53:ListHostedZonesByName
+* servicediscovery:*
 
 GPU support, which relies on EC2 instances to run containers with attached GPU devices,
 require a few additional permissions: