What IAM permissions are required for Cloud Formation deployment to ECS Fargate?

I am trying to deploy Retool to ECS Fargate, but the CF stack will not complete. Each of the "CreateService" steps fails with an AccessDeniedException.

Resource handler returned message: "Invalid request provided: CreateService error: Access denied (Service: AmazonECS; Status Code: 400; Error Code: AccessDeniedException; Request ID: ; Proxy: null)" (RequestToken: , HandlerErrorCode: InvalidRequest)

The stack has been assigned an IAM role which provides full access to ECS APIs from CloudFormation, but the stack creation consistently fails at this point.

Any suggestions?

Turns out that the Cloud Formation service is returning a misleading error. In my case, I was receiving "AccessDenied" but the correct error should have been something indicating that the service in question does not exist.
For future readers, be sure that your target cluster in the CF inputs already exists (my cluster name had a typo).

1 Like

That should read the cluster in question does not exist.