From 5e1f40b752937fb1c9b9e5787eca56fcc35c0600 Mon Sep 17 00:00:00 2001
From: Nicolas De Loof <nicolas.deloof@gmail.com>
Date: Mon, 29 Jun 2020 09:12:43 +0200
Subject: [PATCH] Document required AWS permissions

Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
---
 ecs/docs/requirements.md | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 ecs/docs/requirements.md

diff --git a/ecs/docs/requirements.md b/ecs/docs/requirements.md
new file mode 100644
index 00000000..d142de4f
--- /dev/null
+++ b/ecs/docs/requirements.md
@@ -0,0 +1,31 @@
+## Requirements
+
+This plugin relies on AWS API credentials, using the same configuration files as
+the AWS command line.
+
+Such credentials can be configured by the `docker ecs setup` command, either by 
+selecting an existing AWS CLI profile from existing config files, or by creating
+one passing an AWS access key ID and secret access key.
+
+## Permissions
+
+AWS accounts (or IAM roles) used with the ECS plugin require following permissions:
+
+- ec2:DescribeSubnets  
+- ec2:DescribeVpcs
+- iam:CreateServiceLinkedRole
+- iam:AttachRolePolicy
+- cloudformation:*
+- ecs:*
+- logs:*
+- servicediscovery:*
+- elasticloadbalancing:*
+
+
+## Okta support
+
+For those relying on [aws-okta](https://github.com/segmentio/aws-okta) to access a managed AWS account 
+(as we do at Docker), you can populate your aws config files with temporary access tokens using: 
+```shell script
+aws-okta write-to-credentials <profile> ~/.aws/credentials
+```