🐾Task, execution and capacity provider roles for ECS🐾
❓What is the difference between the ECS task role, execution role, and EC2 capacity roles, and which policies you should assign to them?
✅ ECS task role
This is a role that is assumed by the task container, so it should have all rights needed for your code to be completed, e.g. S3 access. The principal in this role trust policy should be “ecs-tasks.amazonaws.com”.
✅ ECS execution role
This is a role that is assumed by the ECS service itself. It should have the "AmazonECSTaskExecutionRolePolicy" managed policy attached. In case you want ECS to create an AWS log group for you, you need to grant additional rights, as the managed policy has rights only to create log streams. The principal in this role trust policy should be “ecs-tasks.amazonaws.com” as well.
✅ ECS EC2 capacity role
This is a role that is assumed by EC2 instances in the autoscaling group which serves as a capacity provider for the ECS cluster. As instance don’t need to have access to resources used by the container, you should only attach “AmazonEC2ContainerServiceforEC2Role” AWS-managed policy. The principal in this role trust policy should be "ec2.amazonaws.com".
ARNs of managed policies mentioned earlier:
🔹arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
🔹arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
If you like this post, you can share APAWS newsletter with friends: