I'm trying to scope down some of the IAM permissions the dagster cloud ECS agent needs. It wants permission

servicediscovery:DeleteService

to delete any servicediscovery service. Is it possible to use a tag condition key with this

aws:ResourceTag/${TagKey}

? It looks like dagster cloud may pass some tags like

dagster/deployment_name

when it creates the service registry, but not when it deletes it so I suspect there is no way to scope this down. https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudmap.html#awscloudmap-service

I haven't specifically tried it, but the tag condition key sounds promising to me - I wouldn't think you would need to pass in a tag to the service deletion in order for the IAM policy to be able to scope down access to certain services