Posted On: Jul 13, 2016
Amazon EC2 Container Service (ECS) now allows you to specify an IAM role that can be used by the containers in an ECS task.
When an application makes use of the AWS SDK or CLI to make requests to the AWS API, it must sign each request with valid AWS access keys so that AWS can identify who sent the request, for example if your application accesses a DynamoDB table. This requires you to define a strategy for managing and distributing credentials for applications to use.
Previously, you could specify an IAM role for the EC2 instances in your ECS cluster, but this resulted in all the privileges required by any task in the cluster being added to a single IAM role, potentially letting tasks use privileges that were not required.
Now, you can specify an IAM role for each ECS task. The applications in the task’s containers can then use the AWS SDK or CLI to make API requests to authorized AWS services. This allows the EC2 instance to have a minimal role, respecting the ‘Least Privilege’ access policy and allowing you to manage the instance role and the task role separately. You will also gain visibility as to which task is using which role, tracked in the CloudTrail logs.