Skip to content

Update ECS Deployment IAM policies for Scaling #11771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Update ECS Deployment IAM policies for Scaling #11771

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c5e19b7
Update ecs-deployment-tutorial.md
lorenyeung Oct 24, 2025
adf1df1
Update ecs-deployment-tutorial.md
lorenyeung Oct 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 71 additions & 25 deletions ...ontinuous-delivery/deploy-srv-diff-platforms/aws/ecs/ecs-deployment-tutorial.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,10 @@ The custom managed policy should have the following permissions:
"ecs:DescribeTaskDefinition",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:RegisterScalableTarget",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:DeregisterScalableTarget",
"application-autoscaling:DeleteScalingPolicy",
"iam:ListRoles",
"iam:PassRole"
],
Expand Down Expand Up @@ -109,6 +113,10 @@ The custom managed policy should have the following permissions:
| `ecs:DescribeTaskDefinition` | Describes the Task Definition Harness deployed. Harness collects the revision data for rollback purposes. Harness also uses it to understand the current state of the ECS cluster. |
| `application-autoscaling:DescribeScalableTargets` | Describes the scalable targets Harness deploys with the ECS service. This permission can be removed if the user doesn’t leverage scalable targets. |
| `application-autoscaling:DescribeScalingPolicies` | Describes the scaling policies associated with the deployed ECS service. This permission can be removed if the user doesn’t leverage scaling policies. |
| `application-autoscaling:RegisterScalableTarget` | Registers the scalable targets Harness deploys with the ECS service. This permission can be removed if the user doesn’t leverage scalable targets. |
| `application-autoscaling:PutScalingPolicy` | Registers the scaling policies associated with the deployed ECS service. This permission can be removed if the user doesn’t leverage scaling policies. |
| `application-autoscaling:DeregisterScalableTarget`| Removes the older scalable targets on an existing ECS service before a new ECS deployment. This permission can be removed if the user doesn’t leverage scalable targets. |
| `application-autoscaling:DeleteScalingPolicy` | Removes the older scaling policies on an existing ECS service before a new ECS deployment. This permission can be removed if the user doesn’t leverage scaling policies. |
| `iam:ListRoles` | Lists roles. Harness uses the role associated with the Harness connector for deployment. |
| `iam:PassRole` | Harness passes the role with the ECS deployment. |

Expand Down Expand Up @@ -814,19 +822,19 @@ Harness performs the deployment and checks to make sure the ECS service reaches

```
Creating Task Definition with family fargate-task-definition
Created Task Definition fargate-task-definition:6 with Arn arn:aws:ecs:us-west-2:123456789:task-definition/fargate-task-definition:6..
Created Task Definition fargate-task-definition:6 with Arn arn:aws:ecs:us-west-2:xxx:task-definition/fargate-task-definition:6..

Deleting Scaling Policies from service myapp..
Didn't find any Scaling Policies attached to service myapp

Deregistering Scalable Targets from service myapp..
Didn't find any Scalable Targets on service myapp
Updating Service myapp with task definition arn:aws:ecs:us-west-2:123456789:task-definition/fargate-task-definition:6 and desired count 1
Updating Service myapp with task definition arn:aws:ecs:us-west-2:xxx:task-definition/fargate-task-definition:6 and desired count 1
Waiting for pending tasks to finish. 1/1 running ...
Waiting for Service myapp to reach steady state
...
Service myapp reached steady state
Updated Service myapp with Arn arn:aws:ecs:us-west-2:123456789:service/ecs-tutorial/myapp
Updated Service myapp with Arn arn:aws:ecs:us-west-2:xxx:service/ecs-tutorial/myapp

Deployment Successful.
```
Expand Down Expand Up @@ -1008,6 +1016,44 @@ For more information, see [describe-scaling-policies](https://docs.aws.amazon.co

To create the Scalable Target and Scalable Policy resources, see the [register-scalable-target](https://docs.aws.amazon.com/cli/latest/reference/application-autoscaling/register-scalable-target.html) and [put-scaling-policy](https://docs.aws.amazon.com/cli/latest/reference/application-autoscaling/put-scaling-policy.html) commands from AWS.

During deployment, Harness removes auto scaling from the previous service in the **Rolling Deployment** step and deploys a fresh configuration at the end of the step.
Pre-deployment logs with the scaling policy/target delete:
```
Creating Task Definition with family demo-2-ecs-svc-task-definition
Created Task Definition demo-2-ecs-svc-task-definition:14 with Arn arn:aws:ecs:us-west-2:xxx:task-definition/demo-2-ecs-svc-task-definition:14..
Deleting Scaling Policies from service demo-2-ecs-svc..
Deleted Scaling Policy TargetTrackingPolicyCPU from service demo-2-ecs-svc
..
Deleted Scaling Policies from service demo-2-ecs-svc

Deregistering Scalable Targets from service demo-2-ecs-svc..
Deregistered Scalable Target with Scalable Dimension ecs:service:DesiredCount from service demo-2-ecs-svc..
Deregistered Scalable Targets from service demo-2-ecs-svc

Updating Service demo-2-ecs-svc with task definition arn:aws:ecs:us-west-2:xxx:task-definition/demo-2-ecs-svc-task-definition:14 and desired count 2
Waiting for Service demo-2-ecs-svc to reach steady state
```
Post-deployment logs with the scaling policy/target deploy:
```
Current Deployment Status
Service demo-2-ecs-svc Overall Status DesiredCount=2 PendingCount=0 RunningCount=2
Service Deployments Status
Deployment Id=ecs-svc/5898046733595302350, Status=PRIMARY, TaskDefinition=arn:aws:ecs:us-west-2:xxx:task-definition/demo-2-ecs-svc-task-definition:14, DesiredCount=2, PendingCount=0, RunningCount=2, FailedTasks=0, RolloutState=COMPLETED
# AWS Event: 2025-10-23 04:50:21.937 (service demo-2-ecs-svc) (deployment ecs-svc/5898046733595302350) deployment completed.
# AWS Event: 2025-10-23 04:50:21.938 (service demo-2-ecs-svc) has reached a steady state.

Service demo-2-ecs-svc reached steady state
Updated Service demo-2-ecs-svc with Arn arn:aws:ecs:us-west-2:xxx:service/loren-ecs-cluster/demo-2-ecs-svc

Registering Scalable Targets to service demo-2-ecs-svc..
Registered Scalable Target with Scalable Dimension ecs:service:DesiredCount to service demo-2-ecs-svc
Registered Scalable Targets to service demo-2-ecs-svc

Attaching Scaling Policies to service demo-2-ecs-svc..
Attached Scaling Policy TargetTrackingPolicyCPU to service demo-2-ecs-svc
Attached Scaling Policies to service demo-2-ecs-svc
```

#### Enable Auto Scaling In Swap Step

If you select **Enable Auto Scaling In Swap Step** in the **ECS Blue Green Create Service** step, then Harness will attach auto scaling policies to the new service it deploys in the **Configure Swap Target Groups** step. The policies are taken from the **Scalable Target** and **Scaling Policy settings** in the Harness service.
Expand Down Expand Up @@ -1061,16 +1107,16 @@ The deployment follows this process:

```
Creating Task Definition with family fargate-task-definition
Created Task Definition fargate-task-definition:9 with Arn arn:aws:ecs:us-west-2:1234567890:task-definition/fargate-task-definition:9..
Creating Service myappCanary with task definition arn:aws:ecs:us-west-2:1234567890:task-definition/fargate-task-definition:9 and desired count 1
Created Task Definition fargate-task-definition:9 with Arn arn:aws:ecs:us-west-2:xxx:task-definition/fargate-task-definition:9..
Creating Service myappCanary with task definition arn:aws:ecs:us-west-2:xxx:task-definition/fargate-task-definition:9 and desired count 1
Waiting for pending tasks to finish. 0/1 running ...
Waiting for pending tasks to finish. 0/1 running ...
# AWS Event: 2022-10-07 00:05:14.665 (service myappCanary) has started 1 tasks: (task ab694b189d204d15950b0466c0e5bd10).
Waiting for pending tasks to finish. 0/1 running ...
Waiting for pending tasks to finish. 1/1 running ...
Waiting for Service myappCanary to reach steady state
Service myappCanary reached steady state
Created Service myappCanary with Arn arn:aws:ecs:us-west-2:1234567890:service/ecs-canary/myappCanary
Created Service myappCanary with Arn arn:aws:ecs:us-west-2:xxx:service/ecs-canary/myappCanary

Deployment Successful.
```
Expand Down Expand Up @@ -1298,21 +1344,21 @@ Here's an example of the output of the step:

```
Creating Task Definition with family johndoe-fargate
Created Task Definition johndoe-fargate:498 with Arn arn:aws:ecs:us-east-1:1234567890:task-definition/johndoe-fargate:498..
Created Task Definition johndoe-fargate:498 with Arn arn:aws:ecs:us-east-1:xxx:task-definition/johndoe-fargate:498..

Creating Stage Service abc__1 with task definition arn:aws:ecs:us-east-1:1234567890:task-definition/johndoe-fargate:498 and desired count 1
Creating Stage Service abc__1 with task definition arn:aws:ecs:us-east-1:xxx:task-definition/johndoe-fargate:498 and desired count 1
Waiting for pending tasks to finish. 0/1 running ...
Waiting for pending tasks to finish. 0/1 running ...
Waiting for pending tasks to finish. 0/1 running ...
# AWS Event: 2022-10-11 02:50:59.657 (service abc__1) has started 1 tasks: (task e8ffa30be4a848d387ab8ed66ba31417).
Waiting for pending tasks to finish. 0/1 running ...
Waiting for pending tasks to finish. 1/1 running ...
# AWS Event: 2022-10-11 02:51:27.667 (service abc__1) registered 1 targets in (target-group arn:aws:elasticloadbalancing:us-east-1:1234567890:targetgroup/example-tg-ip-2/34b77f72b13e45f4)
# AWS Event: 2022-10-11 02:51:27.667 (service abc__1) registered 1 targets in (target-group arn:aws:elasticloadbalancing:us-east-1:xxx:targetgroup/example-tg-ip-2/34b77f72b13e45f4)
Waiting for Service abc__1 to reach steady state
Service abc__1 reached steady state
Created Stage Service abc__1 with Arn arn:aws:ecs:us-east-1:1234567890:service/example-test/abc__1
Created Stage Service abc__1 with Arn arn:aws:ecs:us-east-1:xxx:service/example-test/abc__1

Target Group with Arn: arn:aws:elasticloadbalancing:us-east-1:1234567890:targetgroup/example-tg-ip-2/34b77f72b13e45f4 is associated with Stage Service abc__1
Target Group with Arn: arn:aws:elasticloadbalancing:us-east-1:xxx:targetgroup/example-tg-ip-2/34b77f72b13e45f4 is associated with Stage Service abc__1
Tag: [BG_VERSION, GREEN] is associated with Stage Service abc__1
```

Expand All @@ -1330,17 +1376,17 @@ Here's an example of the output of the step:

```
Modifying ELB Prod Listener to Forward requests to Target group associated with new Service
,TargetGroup: arn:aws:elasticloadbalancing:us-east-1:1234567890:targetgroup/example-tg-ip-2/34b77f72b13e45f4
Modifying the default Listener: arn:aws:elasticloadbalancing:us-east-1:1234567890:listener/app/example-alb/8c164c70eb817f6a/83cbd24bc4f6d349
with listener rule: arn:aws:elasticloadbalancing:us-east-1:1234567890:listener-rule/app/example-alb/8c164c70eb817f6a/83cbd24bc4f6d349/a249570503765d2d
to forward traffic to TargetGroup: arn:aws:elasticloadbalancing:us-east-1:1234567890:targetgroup/example-tg-ip-2/34b77f72b13e45f4
,TargetGroup: arn:aws:elasticloadbalancing:us-east-1:xxx:targetgroup/example-tg-ip-2/34b77f72b13e45f4
Modifying the default Listener: arn:aws:elasticloadbalancing:us-east-1:xxx:listener/app/example-alb/8c164c70eb817f6a/83cbd24bc4f6d349
with listener rule: arn:aws:elasticloadbalancing:us-east-1:xxx:listener-rule/app/example-alb/8c164c70eb817f6a/83cbd24bc4f6d349/a249570503765d2d
to forward traffic to TargetGroup: arn:aws:elasticloadbalancing:us-east-1:xxx:targetgroup/example-tg-ip-2/34b77f72b13e45f4
Successfully updated Prod Listener

Modifying ELB Stage Listener to Forward requests to Target group associated with old Service
,TargetGroup: arn:aws:elasticloadbalancing:us-east-1:1234567890:targetgroup/example-tg-ip-1/52b1f157d3240800
Modifying the default Listener: arn:aws:elasticloadbalancing:us-east-1:1234567890:listener/app/example-alb/8c164c70eb817f6a/cfbb98e593af641b
with listener rule: arn:aws:elasticloadbalancing:us-east-1:1234567890:listener-rule/app/example-alb/8c164c70eb817f6a/cfbb98e593af641b/30983f6b6338ce10
to forward traffic to TargetGroup: arn:aws:elasticloadbalancing:us-east-1:1234567890:targetgroup/example-tg-ip-1/52b1f157d3240800
,TargetGroup: arn:aws:elasticloadbalancing:us-east-1:xxx:targetgroup/example-tg-ip-1/52b1f157d3240800
Modifying the default Listener: arn:aws:elasticloadbalancing:us-east-1:xxx:listener/app/example-alb/8c164c70eb817f6a/cfbb98e593af641b
with listener rule: arn:aws:elasticloadbalancing:us-east-1:xxx:listener-rule/app/example-alb/8c164c70eb817f6a/cfbb98e593af641b/30983f6b6338ce10
to forward traffic to TargetGroup: arn:aws:elasticloadbalancing:us-east-1:xxx:targetgroup/example-tg-ip-1/52b1f157d3240800
Successfully updated Stage Listener

Updating tag of new service: abc__1
Expand Down Expand Up @@ -1535,7 +1581,7 @@ deploymentConfiguration:
maximumPercent: 100
minimumHealthyPercent: 0
**serviceRegistries:**
** - registryArn: arn:aws:servicediscovery:us-east-1:1234567890:service/srv-xeycgshb42ydmokf**
** - registryArn: arn:aws:servicediscovery:us-east-1:xxx:service/srv-xeycgshb42ydmokf**
```

With the above Service Registry ARN specified in the ECS service definition, deployed services are marked with Service Discovery.
Expand All @@ -1561,13 +1607,13 @@ See the `deployment-configuration` setting in the following example:

```json
"service": {
"serviceArn": "arn:aws:ecs:us-east-1:1234567890:service/servicediscoverytest/ecs-service-discovery",
"serviceArn": "arn:aws:ecs:us-east-1:xxx:service/servicediscoverytest/ecs-service-discovery",
"serviceName": "ecs-service-discovery",
"clusterArn": "arn:aws:ecs:us-east-1:1234567890:cluster/servicediscoverytest",
"clusterArn": "arn:aws:ecs:us-east-1:xxx:cluster/servicediscoverytest",
"loadBalancers": [],
"serviceRegistries": [
{
"registryArn": "arn:aws:servicediscovery:us-east-1:1234567890:service/srv-xbnxncsqdovyuztm"
"registryArn": "arn:aws:servicediscovery:us-east-1:xxx:service/srv-xbnxncsqdovyuztm"
}
],
"status": "ACTIVE",
Expand All @@ -1577,7 +1623,7 @@ See the `deployment-configuration` setting in the following example:
"launchType": "FARGATE",
"platformVersion": "LATEST",
"platformFamily": "Linux",
"taskDefinition": "arn:aws:ecs:us-east-1:1234567890:task-definition/tutorial-task-def:1",
"taskDefinition": "arn:aws:ecs:us-east-1:xxx:task-definition/tutorial-task-def:1",
"deploymentConfiguration": {
"deploymentCircuitBreaker": {
"enable": false,
Expand All @@ -1590,7 +1636,7 @@ See the `deployment-configuration` setting in the following example:
{
"id": "ecs-svc/0410909316449095426",
"status": "PRIMARY",
"taskDefinition": "arn:aws:ecs:us-east-1:1234567890:task-definition/tutorial-task-def:1",
"taskDefinition": "arn:aws:ecs:us-east-1:xxx:task-definition/tutorial-task-def:1",
"desiredCount": 1,
"deployment-configuration": "deploymentCircuitBreaker={enable=true,rollback=true}" ,
"pendingCount": 0,
Expand Down