What are the minimum permissions required for a CircleCI IAM user to push a docker image to a AWS cluster

The Continuous Deployment (I know its from 1.0, couldn’t find anything from 2.0) mention the following permissions need to be granted for a circleCI IAM user:

Permission - The ECS Container agent(s) need to have access to your repository. Make sure the underlying EC2 instances are allowed to access the repo. Their inherited policies should allow for “ecr:GetAuthorizationToken” at minimum”.

Unfortunately this does not satisfy all the requirements in order to push a docker image to a cluster from CircleCI. I tried giving it EC2 full access and a select number of ECR specific permissions (the workaround was to give it admin, but I would prefer to remove that).

Could someone provide an policy that satisfies the minimum requirement of pushing a docker image from Circle?

Edited: typo.

Sorry I am bit confused. Did you mean to say “push to a cluster on ECS”?

Hi @levlaz,

Sorry I wasn’t clear.

My workflow includes a CircleCi IAM user doing the following:
Pushing a docker image to ECS repository
Listing Current task definitions within a specific cluster
Creating a task definition
Updating a new revision to task definitions and making it the primary active
De-registering old task registrations.

Sorry about my terminology was confusing. Does that help clear up my question on permissions necessary?

Cheers,
Dorian