Add ec2:DescribeTags to ec2 instance role. Fixes #744

aws · Mar 11, 2019 · c0c8cbc · c0c8cbc
1 parent ef61921
commit c0c8cbc
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -315,13 +315,17 @@ In addition to EC2 Instances, other resources created by default include:
 
 You can provide your own resources (such as subnets, VPC, or security groups) via their flag options.
 
+**Note:** Unless you specify a custom EC2 instance role with `--instance-role`, the ECS CLI will create the instance role.
+This role will contain the [AmazonEC2ContainerServiceforEC2Role](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html) managed policy, and `ec2:DescribeTags` permissions.
+
 **Note:** The default security group created by `ecs-cli up` allows inbound traffic on port 80 by
 default. To allow inbound traffic from a different port, specify the port you wish to open with the
 `--port` option. To add more ports to the default security group, go to **EC2 Security Groups** in
 the AWS Management Console and search for the security group containing “ecs-cli”. Add a rule as
 described in the [Adding Rules to a Security Group](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#adding-security-group-rule)
 topic.
 
+
 Alternatively, you may specify one or more existing security group IDs with the `--security-group` option.
 
 You can also create an empty ECS cluster by using the `--empty` or `--e` flag:

diff --git a/ecs-cli/modules/clients/aws/cloudformation/cluster_template.go b/ecs-cli/modules/clients/aws/cloudformation/cluster_template.go
@@ -602,6 +602,27 @@ var cluster_template = `
       "Condition": "CreateEcsInstanceRole",
       "Type": "AWS::IAM::Role",
       "Properties": {
+        "Policies": [
+           {
+             "PolicyName": {
+                "Fn::Join" : [
+                    "-", [
+                        "amazon-ecs-cli-setup",
+                        { "Ref": "EcsCluster" },
+                        "instance-tagging-policy"
+                    ]
+                ]
+             },
+             "PolicyDocument": {
+             "Version" : "2012-10-17",
+               "Statement": [ {
+                 "Effect": "Allow",
+                 "Action": "ec2:DescribeTags",
+                 "Resource": "*"
+               } ]
+             }
+          }
+        ],
         "AssumeRolePolicyDocument": {
           "Version": "2012-10-17",
           "Statement": [