From 6924cb3ea3bc28af0b960eaad997efed50fed0f6 Mon Sep 17 00:00:00 2001
From: Lloyd Pick <lloydpick@gmail.com>
Date: Thu, 2 Aug 2018 09:34:16 -0400
Subject: [PATCH] add an example iam policy

---
 README.md | 94 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 94 insertions(+)

diff --git a/README.md b/README.md
index b40c49f..38b3175 100644
--- a/README.md
+++ b/README.md
@@ -42,6 +42,100 @@ When using the docker image directly you can set all parameters using environmen
 * ECS_GEN_FREQUENCY
 * ECS_GEN_ONCE
 
+## ECS Task IAM Policy
+
+The following is a IAM Role that contains the permissions required for ecs-gen to operate.
+You will need to change one reference to your own ECS Cluster as seen at `"Fn::GetAtt": ["ECSCluster", "Arn"]` as yours might not be called `ECSCluster`.
+
+    "HaproxyRole": {
+      "Type": "AWS::IAM::Role",
+      "Properties": {
+        "AssumeRolePolicyDocument": {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Effect": "Allow",
+              "Principal": {
+                "Service": ["ecs-tasks.amazonaws.com"]
+              },
+              "Action": ["sts:AssumeRole"]
+            }
+          ]
+        },
+        "Path": "/",
+        "Policies": [
+          {
+            "PolicyName": "ec2",
+            "PolicyDocument": {
+              "Statement": [
+                {
+                  "Effect": "Allow",
+                  "Action": ["ec2:DescribeInstances"],
+                  "Resource": "*"
+                }
+              ]
+            }
+          },
+          {
+            "PolicyName": "ecs",
+            "PolicyDocument": {
+              "Statement": [
+                {
+                  "Effect": "Allow",
+                  "Action": ["ecs:DescribeContainerInstances"],
+                  "Resource": {
+                    "Fn::Join": [":",
+                      [
+                        "arn:aws:ecs",
+                        { "Ref": "AWS::Region" },
+                        { "Ref": "AWS::AccountId" },
+                        "container-instance/*"
+                      ]
+                    ]
+                  }
+                },
+                {
+                  "Effect": "Allow",
+                  "Action": [
+                    "ecs:DescribeClusters",
+                    "ecs:ListContainerInstances"
+                  ],
+                  "Resource": {
+                    "Fn::GetAtt": ["ECSCluster", "Arn"]
+                  }
+                },
+                {
+                  "Effect": "Allow",
+                  "Action": [
+                    "ecs:DescribeTaskDefinition",
+                    "ecs:ListTasks"
+                  ],
+                  "Resource": "*"
+                },
+                {
+                  "Effect": "Allow",
+                  "Action": [
+                    "ecs:DescribeTasks"
+                  ],
+                  "Resource": {
+                    "Fn::Join": [
+                      ":",
+                      [
+                        "arn:aws:ecs",
+                        { "Ref": "AWS::Region" },
+                        { "Ref": "AWS::AccountId" },
+                        "task/*"
+                      ]
+                    ]
+                  }
+                }
+              ]
+            }
+          }
+        ]
+      }
+    }
+
 ## Example
 ### Fill a template once
 Running the following on the commandline `ecs-gen` will query the specified cluster, execute the template and exit.