diff --git a/ecs/docs/requirements.md b/ecs/docs/requirements.md
new file mode 100644
index 00000000..d142de4f
--- /dev/null
+++ b/ecs/docs/requirements.md
@@ -0,0 +1,31 @@
+## Requirements
+
+This plugin relies on AWS API credentials, using the same configuration files as
+the AWS command line.
+
+Such credentials can be configured by the `docker ecs setup` command, either by 
+selecting an existing AWS CLI profile from existing config files, or by creating
+one passing an AWS access key ID and secret access key.
+
+## Permissions
+
+AWS accounts (or IAM roles) used with the ECS plugin require following permissions:
+
+- ec2:DescribeSubnets  
+- ec2:DescribeVpcs
+- iam:CreateServiceLinkedRole
+- iam:AttachRolePolicy
+- cloudformation:*
+- ecs:*
+- logs:*
+- servicediscovery:*
+- elasticloadbalancing:*
+
+
+## Okta support
+
+For those relying on [aws-okta](https://github.com/segmentio/aws-okta) to access a managed AWS account 
+(as we do at Docker), you can populate your aws config files with temporary access tokens using: 
+```shell script
+aws-okta write-to-credentials <profile> ~/.aws/credentials
+```