Why I am getting "not authorized to perform: ecs:ListTasks on resource: *" exception on AWS API

Question

I'm trying to get a list of tasks that running on my ECS environment from AWS API, but I'm getting the same error all the time:

User: arn:aws:iam::[my_id]:user/[username] is not authorized to perform: ecs:ListTasks on resource: *

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecs:RunTask",
                "ecs:ListTasks",
                "ecs:StartTask",
                "ecs:StopTask"
            ],
            "Resource": [
                "arn:aws:ecs:us-east-1:[my_id]:task/*",
                "arn:aws:ecs:us-east-1:[my_id]:task-definition/*",
                "arn:aws:ecs:us-east-1:[my_id]:cluster/*",
                "arn:aws:ecs:us-east-1:[my_id]:task-set/*/*/*",
                "arn:aws:ecs:us-east-1:[my_id]:container-instance/*",
                "arn:aws:ecs:us-east-1:[my_id]:service/*"
            ]
        }
    ]
}

So as you can see I should access the action with all the available resources. What am I missing?

Thank's.

Answer 1

The listTasks action only supports container instances as the resources not the cluster arn. The cluster arn only could be added as a condition.

The following policy works.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ecs:ListTasks",
            "Resource": "*",
            "Condition": {
                "ArnEquals": {
                    "ecs:cluster": "arn:aws:ecs:ap-southeast-2:[account id]:cluster/MyEcsCluster"
                }
            }
        }
    ]
}

Reference: Actions defined by Amazon Elastic Container Service (check the ListTasks action in this reference)

Hope this helps.