86. Serverless Containers with ECS Fargate – Part 2

Support Mobycast



In episode #85 of Mobycast, we introduced AWS Fargate, which brings the serverless concept to running containers on ECS. We discussed the features and benefits of Fargate, as well as how it differs from normal EC2 launch types.

Now it’s time to dive deeper into some of the details you need to know to successfully run your containers on Fargate.

In this episode of Mobycast, Jon and Chris continue their three-part series on serverless containers with an in-depth discussion of identity and access management for ECS. We learn about the various roles you will encounter, why they are needed and how to use them. We also share a best practice that will make you look like a security pro!

Show Details

In this episode, we cover the following topics:

  • Identity and access management for ECS
    • Primary roles
      • ECS Container Instance IAM Role
        • ecsInstanceRole
        • IAM policy and role required by ECS agent to make ECS API calls on your behalf
      • ECS Service Scheduler IAM Role
        • ecsServiceRole
        • ECS service scheduler makes calls to EC2 and ELB APIs on your behalf
          • Register/deregister container instances with load balancers
      • ECS Task Execution IAM Role
        • ecsTaskExecutionRole
        • Also used by ECS agent to make AWS API calls on your behalf
        • Typical use cases
          • Your task uses Fargate and is…
            • pulling a container image from Amazon ECR
            • uses the awslogs log driver
          • Your tasks uses either Fargate or EC2 launch type and…
            • pulls images from private registry
            • the task definition is referencing sensitive data using Secrets Manager or Parameter Store
    • Secondary roles
      • ECS Service Auto Scaling IAM Role
        • ecsAutoscaleRole
        • Used by Application Auto Scaling service to describe CloudWatch alarms and registered services
          • Updates ECS services’s desired count
      • CloudWatch Events IAM Role
        • ecsEventsRole
        • Required role when you have ECS scheduled tasks
        • Interacts with CloudWatch Events rules and targets
        • This IAM policy and role gives CloudWatch permissions to run ECS tasks on your behalf
      • ECS CodeDeploy IAM Role
        • ecsCodeDeployRole
        • Required when doing blue/green deployments (powered by CodeDeploy)
    • Best practice: Using task-based IAM roles
      • IAM role for Amazon ECS tasks
        • Allows you to specify an IAM role that can be used by the containers in a task
        • IAM role for task is specified using the taskRoleArn setting in task definition
      • Prefer more granular task-based IAM roles over instance roles
      • Each specific task definition or service should have its own role
      • Benefits of task-based IAM roles
        • Least privilege
          • By specifying access at the task-level (instead of at the instance-level), we can have fine-grained control
          • Only give the minimum required permissions for the tasks to operate
        • Credential isolation
          • Container can only use credentials assigned to it
        • Auditability
          • Access and event logging available via CloudTrail
          • CloudTrail logs show taskArn
      • Creating a task-based IAM role
        • First create IAM policy that specifies the minimal permissions needed by your containers
          • Or use an existing managed policy
        • Next create an IAM role for your task
          • Create role based on Amazon Elastic Container Service Task Role service role
        • Then attach your IAM policy to the task role
        • Example: Container needs to make S3 calls
          • Create a new IAM role for the task, and attach the “AmazonS3ReadOnlyAccess” policy to the role
          • Then use the role ARN in task definition


End Song

Beauty in Rhythm (Fredy Grogan Remix) – Roy England

We’d love to hear from you! You can reach us at:

Coming soon…

Show Buttons
Hide Buttons