https://dagster.io/ logo
#deployment-ecs
Title
# deployment-ecs
r

rectalogic

04/10/2023, 2:27 PM
I'm trying to scope down some of the IAM permissions the dagster cloud ECS agent needs. It wants permission
servicediscovery:DeleteService
to delete any servicediscovery service. Is it possible to use a tag condition key with this
aws:ResourceTag/${TagKey}
? It looks like dagster cloud may pass some tags like
dagster/deployment_name
when it creates the service registry, but not when it deletes it so I suspect there is no way to scope this down. https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudmap.html#awscloudmap-service
d

daniel

04/10/2023, 6:59 PM
I haven't specifically tried it, but the tag condition key sounds promising to me - I wouldn't think you would need to pass in a tag to the service deletion in order for the IAM policy to be able to scope down access to certain services
9 Views