Required Permissions
This page describes what permissions are required for a Piped to deploy applications.
A Piped requires some permissions to deploy applications, depending on the platform.
Note: If you run a piped as an ECS task, you need to attach the permissions on the piped task’s task role, not task execution role.
For ECSApp
You need IAM actions like the following example. You can restrict Resource.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:CreateService",
"ecs:CreateTaskSet",
"ecs:DeleteTaskSet",
"ecs:DeregisterTaskDefinition",
"ecs:DescribeServices",
"ecs:DescribeTaskSets",
"ecs:RegisterTaskDefinition",
"ecs:RunTask",
"ecs:TagResource",
"ecs:UpdateService",
"ecs:UpdateServicePrimaryTaskSet",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyRule"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::<account-id>:role/<task-execution-role>",
"arn:aws:iam::<account-id>:role/<task-role>"
]
}
]
}
For LambdaApp
You need IAM actions like the following example. You can restrict Resource.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:CreateAlias",
"lambda:CreateFunction",
"lambda:GetAlias",
"lambda:GetFunction",
"lambda:PublishVersion",
"lambda:TagResource",
"lambda:UntagResource",
"lambda:UpdateAlias",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::<account-id>:role/<function-role>"
]
}
]
}
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
Last modified July 16, 2024: add note of task-role (#5035) (395d96e3)
