Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
f
fresh-keyboard-13188
08/26/2022, 12:40 PMHello! Could anybody chip in here plz 🙂 https://pulumi-community.slack.com/archives/C84L4E3N1/p1661501169016009
c
clever-sunset-76585
08/26/2022, 8:06 PMYou can pass in your own task role to prevent Pulumi from creating the default ones. If you don't provide a default task role, it's pretty difficult to know what you need so Pulumi chooses a better experience things just work, which you can override.
https://github.com/pulumi/pulumi-awsx/blob/f1efc486ed7be49855f624ce994b8c1004e5e000/awsx-classic/ecs/taskDefinition.ts#L64
f
fresh-keyboard-13188
08/28/2022, 12:54 PMHi! Thanks for your message. I was wondering about whether the code comment is true, because if I do in fact need full permissions to run Tasks, then there's no reason to create these policies from scratch. I can just use what Pulumi uses and augment it with my own policies where needed.
c
clever-sunset-76585
08/28/2022, 3:23 PMAh I see what you are asking for. I doubt the tasks themselves need full access to anything. Again, if they did need full access I also doubt that you would be allowed to pass in a task role of your own at all. It would be redundant.
f
fresh-keyboard-13188
08/28/2022, 3:31 PMThanks! I assume it's just a weird comment that stuck around. On the point of not being allowed to pass in a custom task role, I don't think that's the case. Remember that just because I have Lambda and Ecs full access policies, it doesn't mean I can do anything with SSM or S3. So I still need policies in addition to the full access Lambda and Ecs policies. It's just a matter of do we Really need those two to be full access 🙂
c
clever-sunset-76585
08/28/2022, 3:36 PMThat's a good point. Why does an ECS task need full access to Lambda anyway? I don't recall ever needing to grant tasks any access to the Lambda service. But it's been a while since I've worked with ECS. (I was the lead for the Pulumi Service.)
👍 1
f
fresh-keyboard-13188
08/28/2022, 3:39 PMYeh I have no clue why tbh, I thought there might be some wizardry involved I am not aware of.
Nice, you guys did a great job on the product I like it a lot
c
clever-sunset-76585
08/28/2022, 3:45 PMYou probably already tried this but I'd try passing a task role that does not have Lambda access and see what happens. It's also possible, and to your point, that it might be needed for some reason but it might be needed only because it's AWSX. It's possible that they are doing something in AWSX that needs it or perhaps there are other permissions in the Lambda policy that they need and the Lambda policy may have been the closest AWS-managed policy they could add that has the permissions they needed.
I've used ECS extensively while I was at Pulumi but it wasn't via the AWSX package. I don't recall ever needing to specify Lambda permissions for it.
f
fresh-keyboard-13188
08/29/2022, 8:37 AMI actually tried it now and it seems to be working without any of these. No Lambda or ECS is in fact needed 😄 I guess it's all good then. I think my confusion stemmed from the fact that previously I tried adjusting the
taskExecutionRoletaskRolecheers!