AWS library scope does not respect cluster filter

[pecigonzalo]

When we use ECS Cluster filter, the AWS API queries are not respecting that filter and require us to use wide open rules.

[slok]

Hi!

I don't understand the issue, could you explain me a little more please? :)

[pecigonzalo]

Sure thing!
Lets say i run:
./bin/ecs-exporter --aws.region="${AWS_REGION}" --aws.cluster-filter="${SOME_CLUSTER}"

The exporter still requires us to use

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "ecs:ListServices",
                "ecs:ListContainerInstances",
                "ecs:ListClusters",
                "ecs:DescribeServices",
                "ecs:DescribeContainerInstances",
                "ecs:DescribeClusters"
            ],
            "Resource": "*"
        }
    ]
}

When it knows the cluster and the regions, so it should be able to run without ecs:ListClusters and it should not run the describe/list on all cluster.
This also applies to the "Resource": "*" definition, if try to use a smaller scope it will fail due to how it performs the lookup.

My main concern here is to prevent ecs-exporter from accessing other clusters. Hope this is more clear now.