Does --wait-until=deployed option require more action policies than --wait-until=stable?

[tomoya]

ecspresso version: v2.5.0

An error occurred when using the --wait-until=deployed option.

2025-06-13T15:38:46.864+09:00 [ERROR] FAILED. failed to list service deployments: operation error ECS: ListServiceDeployments, https response error StatusCode: 400, RequestID: REQUESTID, AccessDeniedException: User: arn:aws:iam::ACCOUNTID:user/USERNAME is not authorized to perform: ecs:ListServiceDeployments on resource: arn:aws:ecs:ap-northeast-1:ACCOUNTID:service/CLUSTERNAME/SERVICENAME because no identity-
based policy allows the ecs:ListServiceDeployments action

However, ecspresso verify completed successfully.

After that, I tried removing --wait-until=deployed and the deployment was successful.

I haven't tried it yet, but if you add ecs:ListServiceDeployments to my policy, the deployment would be successful.

[sugitak]

Great point!
You may also need ecs:DescribeServiceDeployments too.

ecspresso/wait.go

Lines 160 to 215 in 7ec42dd

	func (d *App) WaitServiceDeployCompleted(ctx context.Context, sv *Service) error {
	d.LogInfo("Waiting for service deployed...(it will take a few minutes)")
	sleepContext(ctx, 10*time.Second) // wait for new deployment created
	listResp, err := d.ecs.ListServiceDeployments(ctx, &ecs.ListServiceDeploymentsInput{
	Cluster: &d.Cluster,
	Service: &d.Service,
	})
	if err != nil {
	return fmt.Errorf("failed to list service deployments: %w", err)
	}
	if len(listResp.ServiceDeployments) == 0 {
	return errors.New("no deployments found for the service")
	}
	// find the latest deployment
	deployment := lo.MaxBy(listResp.ServiceDeployments, func(item types.ServiceDeploymentBrief, max types.ServiceDeploymentBrief) bool {
	return item.CreatedAt.After(*max.CreatedAt)
	})
	deploymentArn := deployment.ServiceDeploymentArn
	d.LogInfo("Waiting for service deployment %s to complete...", arnToName(*deploymentArn))
	tick := time.NewTicker(10 * time.Second)
	defer tick.Stop()
	st := &showState{lastEventAt: time.Now()}
	for range tick.C {
	select {
	case <-ctx.Done():
	return ctx.Err()
	default:
	}
	if err := d.showServiceStatus(ctx, st); err != nil {
	d.LogWarn("%s", err.Error())
	continue
	}
	resp, err := d.ecs.DescribeServiceDeployments(ctx, &ecs.DescribeServiceDeploymentsInput{
	ServiceDeploymentArns: []string{*deploymentArn},
	})
	if err != nil {
	return fmt.Errorf("failed to describe service deployments: %w", err)
	}
	if len(resp.ServiceDeployments) == 1 {
	status := resp.ServiceDeployments[0].Status
	switch status {
	case types.ServiceDeploymentStatusSuccessful, types.ServiceDeploymentStatusRollbackSuccessful:
	d.LogInfo("Service deployment completed %s", status)
	return nil
	case types.ServiceDeploymentStatusStopped, types.ServiceDeploymentStatusRollbackFailed, types.ServiceDeploymentStatusStopRequested:
	return fmt.Errorf("Service deployment failed %s", status)
	default:
	d.LogDebug("Deployment %s, waiting...", status)
	}
	}
	}
	return nil
	}

https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html

[tomoya]

Update notice.

The deployment was successful using --wait-until=stable option. After that, I tryied deployment to use used --wait-until=stable.

2025-06-13T15:38:13.737+09:00 [ERROR] FAILED. failed to list service deployments: operation error ECS: ListServiceDeployments, https response error StatusCode: 400, RequestID: REQUESTID, AccessDeniedException: User: arn:aws:iam::ACCOUNTID:user/USERNAME is not authorized to perform: ecs:ListServiceDeployments on resource: arn:aws:ecs:ap-northeast-1:ACCOUNTID:service/CLUSTERNAME/SERVICENAME because no identity-based policy allows the ecs:ListServiceDeployments action

I added ecs:ListServiceDeployments action to my ECS service resource. And try again.

2025-06-13T16:05:38.610+09:00 [ERROR] FAILED. failed to describe service deployments: operation error ECS: DescribeServiceDeployments, https response error StatusCode: 400, RequestID: REQUESTID, AccessDeniedException: User: arn:aws:iam::ACCOUNTID:user/USERNAME is not authorized to perform: ecs:DescribeServiceDeployments on resource: arn:aws:ecs:ap-northeast-1:ACCOUNTID:service/CLUSTERNAME/SERVICENAME becauseno identity-based policy allows the ecs:DescribeServiceDeployments action

I added ecs:DescribeServiceDeployments action to my ECS service resource. And try again.

2025-06-13T16:06:56.821+09:00 [ERROR] FAILED. failed to describe service deployments: operation error ECS: DescribeServiceDeployments, https response error StatusCode: 400, RequestID: REQUESTID, AccessDeniedException: User: arn:aws:iam::ACCOUNTID:user/USERNAME is not authorized to perform: ecs:DescribeServiceDeployments on resource: arn:aws:ecs:ap-northeast-1:ACCOUNTID:service-deployment/CLUSTERNAME/SERVICENAME/UNKNOWNID because no identity-based policy allows the ecs:DescribeServiceDeployments action

I added ecs:DescribeServiceDeployments to service-deployment/CLUSTERNAME/SERVICENAME/* resource. And try again.

The deployment was successful using --wait-until=deployed option.

[fujiwara]

@tomoya Thank you for the reporting!

However, ecspresso verify completed successfully.

ecspresso verify does not check the IAM permissions assigned to itself.

Surely --wait-until=deployed requires ecs:(Describe|List)ServiceDeployments, but it is not documented at now.

I'll enrich the document of IAM permissions. Thank you!