GitLab CI ECS Deploy Pipeline
This JSON configuration outlines the IAM policy required for a GitLab CI pipeline to deploy to Amazon ECS. It grants necessary permissions for reading ECS task definitions, registering new definitions, updating services, and passing roles.
IAM Policy for GitLab CI ECS Deployment
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECSReadAccess",
"Effect": "Allow",
"Action": [
"ecs:DescribeTaskDefinition"
],
"Resource": [
"*"
]
},
{
"Sid": "ECSWriteAccess",
"Effect": "Allow",
"Action": [
"ecs:RegisterTaskDefinition"
],
"Resource": [
"*"
]
},
{
"Sid": "ECSDeployAccess",
"Effect": "Allow",
"Action": [
"ecs:UpdateService"
],
"Resource": [
"arn:aws:ecs:eu-west-1:xxxxxxxxxxxx:service/teamname-env-cluster/servicename"
]
},
{
"Sid": "IAMPassRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::xxxxxxxxxxxx:role/ecs-taskrole-teamname-clustername",
"arn:aws:iam::xxxxxxxxxxxx:role/ecsTaskExecutionRole"
]
}
]
}
Explanation of Permissions
The policy includes the following key permissions:
- ECSReadAccess: Allows the pipeline to describe ECS task definitions.
- ECSWriteAccess: Permits the pipeline to register new task definitions.
- ECSDeployAccess: Grants permission to update ECS services within a specific cluster.
- IAMPassRole: Enables the pipeline to pass the necessary IAM roles to ECS tasks.
Considerations
Ensure that the Resource ARNs are appropriately scoped to your specific ECS resources for enhanced security. Adjust the eu-west-1 region and account IDs (xxxxxxxxxxxx) to match your AWS environment.