Permissions required for Lambda functions in Amazon ECS blue/green deployments

When you use Lambda functions as deployment lifecycle hooks in Amazon ECS blue/green deployments, you need to create an IAM role with specific permissions. This role allows Amazon ECS to invoke your Lambda functions at various stages of the deployment lifecycle.

The following additional permissions are required:

lambda:InvokeFunction – Allows Amazon ECS to invoke Lambda functions configured as lifecycle hooks during the deployment process.

The following policy contains the required permissions for Lambda lifecycle hooks:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": "arn:aws:lambda:*:*:function:ECS-*"
        },
        {
            "Effect": "Allow",
            "Action": ["iam:PassRole","lambda:InvokeFunction"],
            "Resource": "arn:aws:lambda:*:*:function:ECS-*"
        }
    ]
}

For the trust policy, you need to allow the service to assume this role:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "ecs.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Permissions required for the Amazon ECS console with Amazon CloudFormation

IAM permissions required for Amazon ECS service auto scaling