Three IAM Roles for ECS

Within the ECS framework, there are three primary IAM roles that dictate how containers operate. Each of these roles serves a unique purpose and is employed at different stages of a container's lifecycle.

Container Instance IAM Role

In a non-Fargate context, this IAM role is assigned to the EC2 instances that support running containers. It is determined when creating the ECS cluster. The Container Instance IAM role allows the underlying EC2 instances to make API calls to other AWS services.

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html

Task Execution Role

The Task Execution Role is an IAM role that allows ECS to make calls to other services on your behalf to manage the resources of your application. This role is used not by the container processes themselves, but by the ECS Agent. It facilitates various operations, such as pulling a container image from ECR, creating and managing CloudWatch Logs streams, and retrieving values from Secret Manager or SSM Parameter Store. Please note that the scope of this role may vary depending on whether the launch type is EC2 or Fargate.

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html

Task Role

The Task Role is another IAM role used by the containerized applications running on ECS. This role is often used when the applications need to interact with other AWS services, such as performing operations on files in S3 or reading and writing data from DynamoDB. Unlike the Task Execution Role, the behavior of the Task Role does not vary based on the launch type.

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html

Differences in Behavior Based on Launch Type

IAM roles for ECS can behave differently depending on the chosen launch type - EC2 or Fargate.

Launch Type: EC2

• Container Instance IAM Role
  In the context of the EC2 launch type, the Container Instance IAM Role primarily facilitates pulling images from ECR at task start and exporting container logs to CloudWatchLogs.

• Task Execution Role
  The Task Execution Role in EC2 covers functions such as private registry authentication and secret retrieval. It enables the retrieval of confidential data from Secrets Manager or SSM Parameter Store and sets them as environment variables.

• Task Role
  The Task Role is used to execute all AWS API calls initiated from applications running inside the containers. This can include operations such as file manipulation on S3 or reading and writing data from DynamoDB.

Launch Type: Fargate

• Container Instance IAM Role
  For Fargate launch type, there is no specification for the Container Instance IAM Role.

• Task Execution Role
  The Task Execution Role in Fargate has broader responsibilities, covering areas that would typically be handled by the Container Instance IAM Role in an EC2 launch type. This includes pulling images from ECR at task start, exporting container logs to CloudWatchLogs, private registry authentication, and secret retrieval.

• Task Role
  Similar to the EC2 launch type, the Task Role in Fargate is used to execute all AWS API calls initiated from applications running inside the containers.

Task Execution Role in Fargate

Fargate's serverless architecture means it does not allow you to manage the underlying EC2 instances directly. This translates to a shifting of responsibilities, which are traditionally assigned to the Container Instance IAM Role in an EC2 launch type, to the Task Execution Role in a Fargate context.

References

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html