Here's twtech clear breakdown of how IAM Roles work in Amazon ECS, which is
essential for secure and fine-grained access control over ECS components.
IAM Roles in Amazon ECS
Amazon ECS uses IAM roles to control what ECS services, containers, and EC2 instances can do.
There are three main types of IAM roles used in ECS:
1.
ECS Task Execution Role
- Purpose:
Allows ECS itself to perform actions on your behalf when launching tasks.
- Used by:
ECS Agent, not twtech application directly.
- Required when:
- Pulling container images from Amazon ECR
- Pushing logs to Amazon CloudWatch
- Decrypting secrets from AWS Secrets Manager or SSM
Parameter Store
Key Policy Actions:
# json
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"logs:CreateLogStream",
"logs:PutLogEvents",
"ssm:GetParameters",
"secretsmanager:GetSecretValue"
],
"Resource": "*"
}
Attached in: Task Definition → executionRoleArn
2.
ECS Task Role
- Purpose:
Defines what the application running inside your container can
access.
- Used by: twtech containerized app (e.g., calling AWS SDK to access DynamoDB,
S3, etc.)
- IAM role is assigned per task, not EC2.
Example Use Case: App inside the container needs to read an S3 bucket or
write to DynamoDB.
Attached in: Task Definition → taskRoleArn
3.
ECS Container Instance Role (EC2 Launch
Type only)
- Purpose:
Allows the ECS agent on EC2 to register with the ECS control plane
and send metrics/logs.
- Used by:
ECS agent running on EC2 instance.
- Also called:
ecsInstanceRole
Policy: Attach AWS-managed policy AmazonEC2ContainerServiceforEC2Role
Required for:
- ECS agent communication
- Auto scaling, monitoring
- Pulling from SSM or ECR (if needed)
Attached to: EC2 instance IAM role (via EC2 launch template or ASG)
Summary Table
|
Role
Type |
Applies
To |
Used
For |
Required |
|
Task Executions. Role. |
ECS system. components. |
Pulling images, logs, secrets. |
✅ Yes |
|
Task Roles. |
twtech container app. |
Accessing AWS services (S3,
DynamoDB). |
Optional |
|
EC2 Instance Role. |
EC2 container hosts. |
ECS agent registration, CloudWatch. |
ECS-EC2 only |
Example: Task Execution Role (Trust Policy)
# json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
twtech Best
Practices
- Always restrict permissions with least
privilege.
- Use different roles for each task type when apps
have different AWS access needs.
- Audit IAM role usage
with CloudTrail and access analyzer.
- For Fargate, task execution role is required;
for EC2, both task and instance roles might be needed.
No comments:
Post a Comment