Home > Software design >  AWS - IAM Roles between Fargate instances and other AWS services
AWS - IAM Roles between Fargate instances and other AWS services

Time:01-31

Here I have a task definition for Fargate to launch a microservice inside. It isnt important what this microservice does. My question is about the two properties below:

ExecutionRoleArn: !GetAtt ECSTaskRole.Arn
TaskRoleArn: !GetAtt ECSTaskRole.Arn

and here is the TaskDefinition for Fargate/Microservice, again the microservice here isnt important.

TaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties: 
      RequiresCompatibilities:
        - "FARGATE"
      ContainerDefinitions: 
        - Environment:
            - Name: DEST_BUCKET
              Value: !Ref BucketName
            - Name: SOURCE_QUEUE_URL
              Value: !Ref ConversionQueue
          Essential: True
          Image: !Sub '${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${EcrRepo}'
          LogConfiguration: 
            LogDriver: awslogs
            Options: 
              awslogs-group : !Ref LogGroup
              awslogs-region : !Ref AWS::Region
              awslogs-stream-prefix : ecs
          Name: 'conversion'
      Cpu: '256'
      ExecutionRoleArn: !GetAtt ECSTaskRole.Arn
      Family: 'conversion-taskdefinition'
      Memory: '512'
      NetworkMode: awsvpc
      TaskRoleArn: !GetAtt ECSTaskRole.Arn

and here is the ECSTaskRole:

  ECSTaskRole:
    Type: AWS::IAM::Role
    Properties:
      Description: 'IAM Role for conversion-service tasks'
      RoleName: 'conversion-taskrole'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ecs-tasks.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: root
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow 
                Action: 
                  - "s3:PutObject"
                Resource: !Join
                  - ''
                  - - 'arn:aws:s3:::'
                    - !Ref S3Bucket
                    - /*
              - Effect: Allow
                Action: 
                  - sqs:*"
                Resource: !GetAtt ConversionQueue.Arn

So if I understand the IAM and FARGATE relationship properly, the Fargate instances specified in the task definition assumes the ECSTaskRole which defines what the instances are allowed to do?

CodePudding user response:

Fargate instances specified in the task definition assumes the ECSTaskRole which defines what the instances are allowed to do?

Yes. TaskRoleArn role is assumed by the fargate task, so that your application running on the fargate can interact with AWS, e.g. access S3.

ExecutionRoleArn is for the ECS service itself, so that the service, not your application, can access AWS resources required to actually run your image, e.g. access ECR to download your docker image.

  • Related