Here I have a task definition for Fargate to launch a microservice inside. It isnt important what this microservice does. My question is about the two properties below:
ExecutionRoleArn: !GetAtt ECSTaskRole.Arn
TaskRoleArn: !GetAtt ECSTaskRole.Arn
and here is the TaskDefinition for Fargate/Microservice, again the microservice here isnt important.
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
RequiresCompatibilities:
- "FARGATE"
ContainerDefinitions:
- Environment:
- Name: DEST_BUCKET
Value: !Ref BucketName
- Name: SOURCE_QUEUE_URL
Value: !Ref ConversionQueue
Essential: True
Image: !Sub '${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${EcrRepo}'
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group : !Ref LogGroup
awslogs-region : !Ref AWS::Region
awslogs-stream-prefix : ecs
Name: 'conversion'
Cpu: '256'
ExecutionRoleArn: !GetAtt ECSTaskRole.Arn
Family: 'conversion-taskdefinition'
Memory: '512'
NetworkMode: awsvpc
TaskRoleArn: !GetAtt ECSTaskRole.Arn
and here is the ECSTaskRole:
ECSTaskRole:
Type: AWS::IAM::Role
Properties:
Description: 'IAM Role for conversion-service tasks'
RoleName: 'conversion-taskrole'
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: root
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "s3:PutObject"
Resource: !Join
- ''
- - 'arn:aws:s3:::'
- !Ref S3Bucket
- /*
- Effect: Allow
Action:
- sqs:*"
Resource: !GetAtt ConversionQueue.Arn
So if I understand the IAM and FARGATE relationship properly, the Fargate instances specified in the task definition assumes the ECSTaskRole which defines what the instances are allowed to do?
CodePudding user response:
Fargate instances specified in the task definition assumes the ECSTaskRole which defines what the instances are allowed to do?
Yes. TaskRoleArn
role is assumed by the fargate task, so that your application running on the fargate can interact with AWS, e.g. access S3.
ExecutionRoleArn
is for the ECS service itself, so that the service, not your application, can access AWS resources required to actually run your image, e.g. access ECR to download your docker image.