Hello! Could anybody chip in here plz 🙂 https://pulumi-community.slack.com/archives/C84L4E3N1/p1661501169016009

You can pass in your own task role to prevent Pulumi from creating the default ones. If you don't provide a default task role, it's pretty difficult to know what you need so Pulumi chooses a better experience things just work, which you can override. https://github.com/pulumi/pulumi-awsx/blob/f1efc486ed7be49855f624ce994b8c1004e5e000/awsx-classic/ecs/taskDefinition.ts#L64

Hi! Thanks for your message. I was wondering about whether the code comment is true, because if I do in fact need full permissions to run Tasks, then there's no reason to create these policies from scratch. I can just use what Pulumi uses and augment it with my own policies where needed.

Ah I see what you are asking for. I doubt the tasks themselves need full access to anything. Again, if they did need full access I also doubt that you would be allowed to pass in a task role of your own at all. It would be redundant.

Thanks! I assume it's just a weird comment that stuck around. On the point of not being allowed to pass in a custom task role, I don't think that's the case. Remember that just because I have Lambda and Ecs full access policies, it doesn't mean I can do anything with SSM or S3. So I still need policies in addition to the full access Lambda and Ecs policies. It's just a matter of do we Really need those two to be full access 🙂

That's a good point. Why does an ECS task need full access to Lambda anyway? I don't recall ever needing to grant tasks any access to the Lambda service. But it's been a while since I've worked with ECS. (I was the lead for the Pulumi Service.)

Yeh I have no clue why tbh, I thought there might be some wizardry involved I am not aware of. Nice, you guys did a great job on the product I like it a lot

You probably already tried this but I'd try passing a task role that does not have Lambda access and see what happens. It's also possible, and to your point, that it might be needed for some reason but it might be needed only because it's AWSX. It's possible that they are doing something in AWSX that needs it or perhaps there are other permissions in the Lambda policy that they need and the Lambda policy may have been the closest AWS-managed policy they could add that has the permissions they needed. I've used ECS extensively while I was at Pulumi but it wasn't via the AWSX package. I don't recall ever needing to specify Lambda permissions for it.

I actually tried it now and it seems to be working without any of these. No Lambda or ECS is in fact needed 😄 I guess it's all good then. I think my confusion stemmed from the fact that previously I tried adjusting the

taskExecutionRole

which needs different permissions than

taskRole