Merge branch 'master' into dependabot/npm_and_yarn/aws-sdk/client-ecs-3.624.0

amazreech · web-flow · commit fb327df70198 · 2024-08-12T09:27:35.000-04:00
diff --git a/README.md b/README.md
@@ -116,9 +116,7 @@ We recommend following [Amazon IAM best practices](https://docs.aws.amazon.com/I
 * [Monitor the activity](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#keep-a-log) of the credentials used in GitHub Actions workflows.
 
 ## Permissions
-
-This action requires the following minimum set of permissions:
-
+Running a service requires the following minimum set of permissions:
 ```json
 {
    "Version":"2012-10-17",
@@ -156,7 +154,36 @@ This action requires the following minimum set of permissions:
    ]
 }
 ```
-
+ 
+Running a one-off/stand-alone task requires the following minimum set of permissions:
+```json
+{
+   "Version": "2012-10-17",
+   "Statement":[
+      {
+         "Sid": "VisualEditor0",
+         "Effect": "Allow",
+         "Action":[
+            "ecs:RunTask",
+            "ecs:RegisterTaskDefinition",
+            "ecs:DescribeTasks"
+         ],
+         "Resource": "*"
+      },
+      {
+         "Sid": "PassRolesInTaskDefinition",
+         "Effect":"Allow",
+         "Action":[
+            "iam:PassRole"
+         ],
+         "Resource":[
+            "arn:aws:iam::<aws_account_id>:role/<task_definition_task_role_name>",
+            "arn:aws:iam::<aws_account_id>:role/<task_definition_task_execution_role_name>"
+         ]
+      }
+   ]
+}
+```
 Note: the policy above assumes the account has opted in to the ECS long ARN format.
 
 ## AWS CodeDeploy Support
