One point to note about the code in the preceding example, is that it requires the ability to call the ECS service and execute the ListContainerInstances and DescribeContainerInstances API calls. This means you need to add the appropriate IAM permissions to the Lambda function IAM role, as demonstrated in the following example:
...
...
Resources:
...
...
EcsCapacityRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Policies:
- PolicyName: EcsCapacityPermissions
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: ListContainerInstances
Effect: Allow
Action:
- ecs:ListContainerInstances
Resource: !Sub ${ApplicationCluster.Arn}
- Sid: DescribeContainerInstances
Effect: Allow
Action:
- ecs:DescribeContainerInstances
Resource: "*"
Condition:
ArnEquals:
ecs:cluster: !Sub ${ApplicationCluster.Arn}
- Sid: ManageLambdaLogs
Effect: Allow
Action:
- logs:CreateLogStream
- logs:PutLogEvents
Resource: !Sub ${EcsCapacityLogGroup.Arn}
...
...