Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-ecs: downscope permissions required by instance draining hook #1204

Closed
rix0rrr opened this issue Nov 19, 2018 · 4 comments
Closed

aws-ecs: downscope permissions required by instance draining hook #1204

rix0rrr opened this issue Nov 19, 2018 · 4 comments
Labels
@aws-cdk/aws-ecs Related to Amazon Elastic Container feature-request A feature should be added or improved.

Comments

@rix0rrr
Copy link
Contributor

rix0rrr commented Nov 19, 2018

No description provided.

@rix0rrr rix0rrr added enhancement @aws-cdk/aws-ecs Related to Amazon Elastic Container labels Nov 19, 2018
@srchase srchase added feature-request A feature should be added or improved. and removed enhancement labels Jan 3, 2019
@rix0rrr
Copy link
Contributor Author

rix0rrr commented May 21, 2019
edited
Loading

Reference to source where downscoping should happen:

https://github.com/awslabs/aws-cdk/blob/master/packages/@aws-cdk/aws-ecs/lib/drain-hook/instance-drain-hook.ts#L76-L95

@SoManyHs
Copy link
Contributor

SoManyHs commented May 29, 2019
edited
Loading

@rix0rrr
In all of the managed ECS policies, the resource field for the actions specified in the above link are all "Resource": [*].

For the autoscaling permissions in particular, the required resource for CompleteLifecycleAction (according in the IAM docs ) is an autoscaling group, and if I'm understanding it, the policy won't work if the resource is not compatible with the required ones. All this to say, I think that the way the policy is defined in the Lambda should be fine, but feel free to clarify if I'm missing something.

@rix0rrr
Copy link
Contributor Author

rix0rrr commented Jun 4, 2019

Probably: asg:CompleteLifeCycleAction will need ASG ARN? And the ecs calls need the ClusterArn?

Describe calls can stay at resource-* for all I care.

@piradeepk piradeepk mentioned this issue Jun 5, 2019
Merged
4 tasks
@piradeepk
Copy link
Contributor

This can be resolved.

@eladb eladb closed this as completed Jul 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-ecs Related to Amazon Elastic Container feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rix0rrr @eladb @srchase @SoManyHs @piradeepk