Deploy to ECR / ECS

Hi.

I am trying to follow along with this tutorial:

https://circleci.com/docs/2.0/ecs-ecr/

Can anyone advise on what a suitable IAM policy would be to accompany this tutorial? I have started with a blank policy and adding permissions as it goes along and fails… but hoping someone else has done this already so that I can speed things up a little.

Cheers,
Nathan

I couldn’t find anyone willing to post a policy anywhere on the internet either, so I had to fault through building my own. The ECR part is based on AmazonEC2ContainerRegistryPowerUser with the get image stuff stripped out. The ECS part is the bare minimum based on faulting through an actual deployment. The policy is wrapped in a Terraform resource, for the benefit of anyone using that.

resource "aws_iam_policy" "ecr-ecs-deployment" {
    name        = "ecr-ecs-deployment"
    path        = "/"
    description = "Allows writing new images to ECR and updating an existing ECS service task"
    policy      = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:DescribeRepositories",
        "ecr:ListImages",
        "ecr:DescribeImages",
        "ecr:InitiateLayerUpload",
        "ecr:UploadLayerPart",
        "ecr:CompleteLayerUpload",
        "ecr:PutImage",
        "ecs:DescribeTaskDefinition",
        "ecs:RegisterTaskDefinition",
        "ecs:UpdateService"
      ],
      "Resource": "*"
    }
  ]
}
POLICY
}