ECS and IAM Roles

There are several roles used with ECS:

[EC2 Launch Type] Amazon ECS container instance IAM role – used by EC2 and external instances to provide permissions to the container agent to call AWS APIs

Task IAM role – the permissions granted in the IAM role are assumed by the containers running in the task

[Fargate Launch Type] Amazon ECS task execution IAM role – the task execution role grants the Amazon ECS container and Fargate agents permissions to make AWS API calls on your behalf

Amazon ECS infrastructure IAM role – allows Amazon ECS to manage infrastructure resources in your clusters on your behalf (e.g. EBS volumes)

There are several roles used with ECS:

ECS Anywhere IAM role – On-premises servers or virtual machines (VM) require an IAM role to communicate with AWS APIs

Amazon ECS CodeDeploy IAM Role – the CodeDeploy service needs permissions to update ECS when performing blue/green deployments

Amazon ECS EventBridge IAM Role – to use Amazon ECS scheduled tasks with EventBridge rules and targets, the EventBridge service needs permissions

⁠

Note:

A container can only retrieve credentials for the IAM role that is defined in the task definition to which it belongs

A container never has access to credentials that are intended for another container that belongs to another task

When using EC2 instances, tasks are not prevented from accessing credentials supplied to the IAM instance role

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.