|
@@ -0,0 +1,31 @@
|
|
|
|
|
+## Requirements
|
|
|
|
|
+
|
|
|
|
|
+This plugin relies on AWS API credentials, using the same configuration files as
|
|
|
|
|
+the AWS command line.
|
|
|
|
|
+
|
|
|
|
|
+Such credentials can be configured by the `docker ecs setup` command, either by
|
|
|
|
|
+selecting an existing AWS CLI profile from existing config files, or by creating
|
|
|
|
|
+one passing an AWS access key ID and secret access key.
|
|
|
|
|
+
|
|
|
|
|
+## Permissions
|
|
|
|
|
+
|
|
|
|
|
+AWS accounts (or IAM roles) used with the ECS plugin require following permissions:
|
|
|
|
|
+
|
|
|
|
|
+- ec2:DescribeSubnets
|
|
|
|
|
+- ec2:DescribeVpcs
|
|
|
|
|
+- iam:CreateServiceLinkedRole
|
|
|
|
|
+- iam:AttachRolePolicy
|
|
|
|
|
+- cloudformation:*
|
|
|
|
|
+- ecs:*
|
|
|
|
|
+- logs:*
|
|
|
|
|
+- servicediscovery:*
|
|
|
|
|
+- elasticloadbalancing:*
|
|
|
|
|
+
|
|
|
|
|
+
|
|
|
|
|
+## Okta support
|
|
|
|
|
+
|
|
|
|
|
+For those relying on [aws-okta](https://github.com/segmentio/aws-okta) to access a managed AWS account
|
|
|
|
|
+(as we do at Docker), you can populate your aws config files with temporary access tokens using:
|
|
|
|
|
+```shell script
|
|
|
|
|
+aws-okta write-to-credentials <profile> ~/.aws/credentials
|
|
|
|
|
+```
|
Nicolas De Loof