On my CI I am running:
aws ecs wait services-stable --cluster $CLUSTER --services $SERVICE
This works perfectly with my IAM credential, but my down scoped credential for CI fails with:
In function length(), invalid type for value: None, expected one of: ['string', 'array', 'object'], received: "null"
The policy attached to the CI group grants the following:
"ecs:ListClusters",
"ecs:ListServices",
"ecs:CreateService",
"ecs:UpdateService",
"ecs:DeleteService",
"ecs:RegisterTaskDefinition",
"ecs:DiscoverPollEndpoint",
"ecs:Poll",
"ecs:DeregisterTaskDefinition",
"ecs:ListTaskDefinitions",
"ecs:ListTasks",
"ecs:RunTask",
"ecs:StartTask",
"ecs:StopTask",
"ecs:SubmitTaskStateChange",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:UpdateAutoScalingGroup",
"iam:ListServerCertificates",
"cloudformation:DescribeStacks"
I had thought granting Poll and DiscoverPollEndpoint would cover wait. What am I missing?
Thanks!
aws ecs wait services-stable requires ecs:DescribeServices. You can see the source of the waiter here.
ecs:Poll and ecs:DiscoverPollEndpoint (and a few other actions) are only used by the ECS agent; you do not need to grant those permissions to anything other than the ECS agent.