Support Mobycasthttps://glow.fm/mobycastIn this episode, we cover the following topics:Identity and access management for ECSPrimary rolesECS Container Instance IAM RoleecsInstanceRoleIAM policy and role required by ECS agent to make ECS API calls on your behalfECS Service Scheduler IAM RoleecsServiceRoleECS service scheduler makes calls to EC2 and ELB APIs on your behalfRegister/deregister container instances with load balancersECS Task Execution IAM RoleecsTaskExecutionRoleAlso used by ECS agent to make AWS API calls on your behalfTypical use casesYour task uses Fargate and is...pulling a container image from Amazon ECRuses the awslogs log driverYour tasks uses either Fargate or EC2 launch type and...pulls images from private registrythe task definition is referencing sensitive data using Secrets Manager or Parameter StoreSecondary rolesECS Service Auto Scaling IAM RoleecsAutoscaleRoleUsed by Application Auto Scaling service to describe CloudWatch alarms and registered servicesUpdates ECS services's desired countCloudWatch Events IAM RoleecsEventsRoleRequired role when you have ECS scheduled tasksInteracts with CloudWatch Events rules and targetsThis IAM policy and role gives CloudWatch permissions to run ECS tasks on your behalfECS CodeDeploy IAM RoleecsCodeDeployRoleRequired when doing blue/green deployments (powered by CodeDeploy)Best practice: Using task-based IAM rolesIAM role for Amazon ECS tasksAllows you to specify an IAM role that can be used by the containers in a taskIAM role for task is specified using the taskRoleArn setting in task definitionPrefer more granular task-based IAM roles over instance rolesEach specific task definition or service should have its own roleBenefits of task-based IAM rolesLeast privilegeBy specifying access at the task-level (instead of at the instance-level), we can have fine-grained controlOnly give the minimum required permissions for the tasks to operateCredential isolationContainer can only use credentials assigned to itAuditabilityAccess and event logging available via CloudTrailCloudTrail logs show taskArnCreating a task-based IAM roleFirst create IAM policy that specifies the minimal permissions needed by your containersOr use an existing managed policyNext create an IAM role for your taskCreate role based on Amazon Elastic Container Service Task Role service roleThen attach your IAM policy to the task roleExample: Container needs to make S3 callsCreate a new IAM role for the task, and attach the "AmazonS3ReadOnlyAccess" policy to the roleThen use the role ARN in task definitionLinksAmazon Elastic Container ServiceAWS Fargate - Product PageECS Fargate - Developer GuideIAM Roles for TasksEnd SongBeauty in Rhythm (Fredy Grogan Remix) - Roy EnglandFor a full transcription of this episode, please visit the episode webpage.We'd love to hear from you! You can reach us at:Web: https://mobycast.fmVoicemail: 844-818-0993Email: ask@mobycast.fmTwitter: https://twitter.com/hashtag/mobycastReddit: https://reddit.com/r/mobycast