Follow

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use
Follow
Facebook Twitter Instagram Youtube
Contact

AWS – IAM Roles between Fargate instances and other AWS services

byMR
January 31, 2023

Here I have a task definition for Fargate to launch a microservice inside. It isnt important what this microservice does. My question is about the two properties below:

ExecutionRoleArn: !GetAtt ECSTaskRole.Arn

TaskRoleArn: !GetAtt ECSTaskRole.Arn

and here is the TaskDefinition for Fargate/Microservice, again the microservice here isnt important.

TaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties: 
      RequiresCompatibilities:
        - "FARGATE"
      ContainerDefinitions: 
        - Environment:
            - Name: DEST_BUCKET
              Value: !Ref BucketName
            - Name: SOURCE_QUEUE_URL
              Value: !Ref ConversionQueue
          Essential: True
          Image: !Sub '${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${EcrRepo}'
          LogConfiguration: 
            LogDriver: awslogs
            Options: 
              awslogs-group : !Ref LogGroup
              awslogs-region : !Ref AWS::Region
              awslogs-stream-prefix : ecs
          Name: 'conversion'
      Cpu: '256'
      ExecutionRoleArn: !GetAtt ECSTaskRole.Arn
      Family: 'conversion-taskdefinition'
      Memory: '512'
      NetworkMode: awsvpc
      TaskRoleArn: !GetAtt ECSTaskRole.Arn

and here is the ECSTaskRole:

MEDevel.com: Open-source for Healthcare and Education

Collecting and validating open-source software for healthcare, education, enterprise, development, medical imaging, medical records, and digital pathology.

Visit Medevel 

  ECSTaskRole:
    Type: AWS::IAM::Role
    Properties:
      Description: 'IAM Role for conversion-service tasks'
      RoleName: 'conversion-taskrole'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ecs-tasks.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: root
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow 
                Action: 
                  - "s3:PutObject"
                Resource: !Join
                  - ''
                  - - 'arn:aws:s3:::'
                    - !Ref S3Bucket
                    - /*
              - Effect: Allow
                Action: 
                  - sqs:*"
                Resource: !GetAtt ConversionQueue.Arn

So if I understand the IAM and FARGATE relationship properly, the Fargate instances specified in the task definition assumes the ECSTaskRole which defines what the instances are allowed to do?

>Solution :

Fargate instances specified in the task definition assumes the ECSTaskRole which defines what the instances are allowed to do?

Yes. TaskRoleArn role is assumed by the fargate task, so that your application running on the fargate can interact with AWS, e.g. access S3.

ExecutionRoleArn is for the ECS service itself, so that the service, not your application, can access AWS resources required to actually run your image, e.g. access ECR to download your docker image.

byMR
Published
Add a comment

Leave a Reply

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use

Read more

Discover more from Dev solutions

Subscribe now to keep reading and get access to the full archive.

Continue reading