Remove IAM actions from minimal policy for AWS FargateCluster

[jgdwyer]

In the interest of minimizing the number of permissions that we need to provide to the cluster manager, I'd like to explore the option of removing the need for iam:ListRoles and iam:ListRoleTags actions if all resources are specified when creating the cluster. Looking at the code, it appears that if the task_role_arn and execution_role_arn are specified, then the iam actions are only needed when attempting to clean up stale resources.

Is there support for skipping the cleanup of stale IAM roles if task_role_arn and execution_role_arn are explicitly specified? It might enable us to reduce the resources needed to ec2, ecs, and logs. (And for FargateCluster we could eliminate the need for ec2 as well).

"ec2:CreateTags",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ecs:DescribeTasks",
"ecs:ListAccountSettings",
"ecs:RegisterTaskDefinition",
"ecs:RunTask",
"ecs:StopTask",
"ecs:ListClusters",
"ecs:DescribeClusters",
"ecs:ListTaskDefinitions",
"ecs:DescribeTaskDefinition",
"ecs:DeregisterTaskDefinition",
"logs:DescribeLogGroups",
"logs:GetLogEvents"

[jacobtomlinson]

I am very in favour of reducing the minimal permissions if the user provides everything themselves.

Cleaning up stale resources can be skipped today, are you suggesting automatically skipping if everything is provided?

[jgdwyer]

Cleaning up stale resources can be skipped today, are you suggesting automatically skipping if everything is provided?

I was thinking to automatically skip the role cleanup if the roles were provided, but to keep the rest of the automatic cleanup in place. But perhaps there are other cleanup steps that can be skipped as well if their resources are directly provided?

[jacobtomlinson]

Yeah I think that makes sense. Do you have any interest/time to work on this?

[jgdwyer]

Yup I can put something together!