{ "Version": "2012-10-17", "Statement": [ { "Sid": "ECSScopedOperations", "Effect": "Allow", "Action": [ "ecs:CreateCluster", "ecs:DeleteCluster", "ecs:DescribeClusters", "ecs:PutClusterCapacityProviders", "ecs:CreateCapacityProvider", "ecs:DeleteCapacityProvider", "ecs:DescribeCapacityProviders", "ecs:RunTask", "ecs:StopTask", "ecs:DescribeTasks", "ecs:DescribeContainerInstances", "ecs:TagResource" ], "Resource": "arn:aws:ecs:*:*:*/seqera-sched-*" }, { "Sid": "ECSUnscopedOperations", "Effect": "Allow", "Action": [ "ecs:RegisterTaskDefinition", "ecs:DeregisterTaskDefinition", "ecs:DescribeTaskDefinition", "ecs:ListTaskDefinitions", "ecs:ListTaskDefinitionFamilies", "ecs:ListTasks" ], "Resource": "*" }, { "Sid": "IAMRoleManagement", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:GetRole", "iam:DeleteRole", "iam:PutRolePolicy", "iam:DeleteRolePolicy", "iam:ListRolePolicies", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:ListAttachedRolePolicies", "iam:CreateInstanceProfile", "iam:GetInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:ListInstanceProfilesForRole", "iam:RemoveRoleFromInstanceProfile", "iam:DeleteInstanceProfile" ], "Resource": [ "arn:aws:iam::*:role/seqera-sched-*", "arn:aws:iam::*:instance-profile/seqera-sched-*" ] }, { "Sid": "PassRoleToECS", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/seqera-sched-*", "arn:aws:iam::*:role/TowerForge-*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ecs-tasks.amazonaws.com", "ecs.amazonaws.com", "ec2.amazonaws.com" ] } } }, { "Sid": "ServiceLinkedRoles", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "ecs.amazonaws.com", "ecs-compute.amazonaws.com", "autoscaling.amazonaws.com", "spot.amazonaws.com" ] } } }, { "Sid": "CloudWatchLogs", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:DescribeLogStreams", "logs:GetLogEvents", "logs:TagResource" ], "Resource": "arn:aws:logs:*:*:log-group:/seqera/sched*" }, { "Sid": "EC2NetworkDiscovery", "Effect": "Allow", "Action": [ "ec2:DescribeImages", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeRouteTables", "ec2:DescribeVpcEndpoints", "ec2:DescribeInstances", "ec2:CreateSecurityGroup", "ec2:CreateVpcEndpoint", "ec2:AuthorizeSecurityGroupEgress", "ec2:CreateTags" ], "Resource": "*" }, { "Sid": "ECRAccess", "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "*" }, { "Sid": "S3Access", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "ASGEC2Operations", "Effect": "Allow", "Action": [ "ec2:DescribeInstanceTypes", "ec2:CreateLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:RunInstances" ], "Resource": "*" }, { "Sid": "ASGManagement", "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:DeleteAutoScalingGroup", "autoscaling:CreateOrUpdateTags" ], "Resource": "arn:aws:autoscaling:*:*:*/seqera-sched-*" }, { "Sid": "ASGDescribe", "Effect": "Allow", "Action": "autoscaling:DescribeAutoScalingGroups", "Resource": "*" }, { "Sid": "SSMECSOptimizedAmi", "Effect": "Allow", "Action": "ssm:GetParameter", "Resource": "arn:aws:ssm:*:*:parameter/aws/service/ecs/optimized-ami/*" }, { "Sid": "CostExplorer", "Effect": "Allow", "Action": "ce:GetCostAndUsage", "Resource": "*" } ] }