I have multiple Fargate clusters in a single AWS account. I wish to ensure that a given service account (used by the build pipeline) can only update Services within a given Fargate clusters.
The IAM policy editor prompt for the ecs:UpdateService action's resource is arn:aws:ecs::<aws_account_id>:service/ which doesn't make sense given that different clusters can have Services that share a name. aws ecs describe-tasks shows both a "clusterArn" and "serviceArn" for each task. aws ecs list-services and aws ecs describe-services only apply to Services for a given cluster.
I created a policy that restricts the
ecs:UpdateServiceaction to only be able to update thearn:aws:ecs:<region>:<aws_account_id>:<service>resource, with a "StringEquals" condition specifying aecs:clustercondition key set to the ARN of the ECS cluster. Using this method, you could give*for<service>to allow a policy to update all services in a given cluster.Documentation: Actions, resources, and condition keys for Amazon Elastic Container Service