From 5e8805f24d9c1420721089d742843ca17ab2a802 Mon Sep 17 00:00:00 2001 From: Rickard von Essen Date: Wed, 8 Feb 2017 15:08:16 +0100 Subject: [PATCH] ECS: Docs - info about cred. resolution and required access policies Added information about how AWS credentials are resolved and which access rights is needed the Traefik ECS provider. --- docs/toml.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/docs/toml.md b/docs/toml.md index 093c8b94b..0891809f7 100644 --- a/docs/toml.md +++ b/docs/toml.md @@ -1423,3 +1423,33 @@ Labels can be used on task containers to override default behaviour: - `traefik.frontend.passHostHeader=true`: forward client `Host` header to the backend. - `traefik.frontend.priority=10`: override default frontend priority - `traefik.frontend.entryPoints=http,https`: assign this frontend to entry points `http` and `https`. Overrides `defaultEntryPoints`. + +If `AccessKeyID`/`SecretAccessKey` is not given credentials will be resolved in the following order: + +- From environment variables; `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`. +- Shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE`, defaults to `default` and `~/.aws/credentials`. +- EC2 instance role or ECS task role + +Træfɪk needs the following policy to read ECS information: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Traefik ECS read access", + "Effect": "Allow", + "Action": [ + "ecs:ListTasks", + "ecs:DescribeTasks", + "ecs:DescribeContainerInstances", + "ecs:DescribeTaskDefinition", + "ec2:DescribeInstances" + ], + "Resource": [ + "*" + ] + } + ] +} +```