Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Difference between AWS Elastic Container Service's (ECS) ExecutionRole and TaskRole

Tags:

amazon-web-services

amazon-iam

amazon-ecs

I'm using AWS's CloudFormation, and I recently spent quite a bit of time trying to figure out why the role I had created and attached policies to was not enabling my ECS task to send a message to a Simple Queue Service (SQS) queue.

I realized that I was incorrectly attaching the SQS permissions policy to the Execution Role when I should have been attaching the policy to the Task Role. I cannot find good documentation that explains the difference between the two roles. CloudFormation documentation for the two of them are here: ExecutionRole and TaskRole

like image 381
johnklawlor Avatar asked Feb 27 '18 00:02

johnklawlor

People also ask

What is ECS task execution role?

The task execution role grants the Amazon ECS container and Fargate agents permission to make AWS API calls on your behalf. The task execution IAM role is required depending on the requirements of your task. You can have multiple task execution roles for different purposes and services associated with your account.

What is execution role in AWS?

A Lambda function's execution role is an AWS Identity and Access Management (IAM) role that grants the function permission to access AWS services and resources. For example, you might create an execution role that has permission to send logs to Amazon CloudWatch and upload trace data to AWS X-Ray.

What is ECS service and task?

Amazon Elastic Container Service (Amazon ECS) is a highly scalable and fast container management service. You can use it to run, stop, and manage containers on a cluster. With Amazon ECS, your containers are defined in a task definition that you use to run an individual task or task within a service.

How many containers can run per task on ECS?

ECS lets you run up to 120 tasks per EC2 instance. Amazon EKS lets you assign a dedicated network interface with a public IP address to a Kubernetes pod. This means all containers will share access to internal and external networks through this interface.

1 Answers

Referring to the documentation you can see that the execution role is the IAM role that executes ECS actions such as pulling the image and storing the application logs in cloudwatch.

The TaskRole then, is the IAM role used by the task itself. For example, if your container wants to call other AWS services like S3, SQS, etc then those permissions would need to be covered by the TaskRole.

Using a TaskRole is functionally the same as using access keys in a config file on the container instance. Using access keys in this way is not secure and is considered very bad practice. I include this in the answer because many people reading this already understand access keys.

like image 104
mehtunguh Avatar answered Sep 21 '22 22:09

mehtunguh
Sign in to Comment

Related questions

Google app engine or amazon web services [closed]
AWS OpsWorks vs AWS Beanstalk vs AWS CloudFormation?
Read file from aws s3 bucket using node fs
How to add SSL certificate to AWS EC2 with the help of new AWS Certificate Manager service
The AWS Access Key Id does not exist in our records
Auto Shutdown and Start Amazon EC2 Instance
Setting CIDR/IP so anyone can access it from any IP?
kubectl error You must be logged in to the server (Unauthorized) when accessing EKS cluster
Using python Logging with AWS Lambda
How to determine if object exists AWS S3 Node.JS sdk
AWS Elastic Beanstalk, running a cronjob
AWS EC2 Auto Scaling Groups: I get Min and Max, but what's Desired instances limit for?
Use terraform to set up a lambda function triggered by a scheduled event source
AWS Lambda: Task timed out
Faster s3 bucket duplication
When to use a boto3 client and when to use a boto3 resource?
Is it possible to rename an AWS Lambda function?
Amazon RDS: Restore snapshot to existing instance
How to Add a Column in DynamoDB
Nodejs - Invoke an AWS.Lambda function from within another lambda function

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!