Serverless Containers with ECS Fargate - Part 2

Support Mobycast
https://glow.fm/mobycast

In this episode, we cover the following topics:

• Identity and access management for ECS
  • Primary roles
    • ECS Container Instance IAM Role
      • ecsInstanceRole
      • IAM policy and role required by ECS agent to make ECS API calls on your behalf
    • ECS Service Scheduler IAM Role
      • ecsServiceRole
      • ECS service scheduler makes calls to EC2 and ELB APIs on your behalf
        • Register/deregister container instances with load balancers
    • ECS Task Execution IAM Role
      • ecsTaskExecutionRole
      • Also used by ECS agent to make AWS API calls on your behalf
      • Typical use cases
        • Your task uses Fargate and is...
          • pulling a container image from Amazon ECR
          • uses the awslogs log driver
        • Your tasks uses either Fargate or EC2 launch type and...
          • pulls images from private registry
          • the task definition is referencing sensitive data using Secrets Manager or Parameter Store
  • Secondary roles
    • ECS Service Auto Scaling IAM Role
      • ecsAutoscaleRole
      • Used by Application Auto Scaling service to describe CloudWatch alarms and registered services
        • Updates ECS services's desired count
    • CloudWatch Events IAM Role
      • ecsEventsRole
      • Required role when you have ECS scheduled tasks
      • Interacts with CloudWatch Events rules and targets
      • This IAM policy and role gives CloudWatch permissions to run ECS tasks on your behalf
    • ECS CodeDeploy IAM Role
      • ecsCodeDeployRole
      • Required when doing blue/green deployments (powered by CodeDeploy)
  • Best practice: Using task-based IAM roles
    • IAM role for Amazon ECS tasks
      • Allows you to specify an IAM role that can be used by the containers in a task
      • IAM role for task is specified using the taskRoleArn setting in task definition
    • Prefer more granular task-based IAM roles over instance roles
    • Each specific task definition or service should have its own role
    • Benefits of task-based IAM roles
      • Least privilege
        • By specifying access at the task-level (instead of at the instance-level), we can have fine-grained control
        • Only give the minimum required permissions for the tasks to operate
      • Credential isolation
        • Container can only use credentials assigned to it
      • Auditability
        • Access and event logging available via CloudTrail
        • CloudTrail logs show taskArn
    • Creating a task-based IAM role
      • First create IAM policy that specifies the minimal permissions needed by your containers
        • Or use an existing managed policy
      • Next create an IAM role for your task
        • Create role based on Amazon Elastic Container Service Task Role service role
      • Then attach your IAM policy to the task role
      • Example: Container needs to make S3 calls
        • Create a new IAM role for the task, and attach the "AmazonS3ReadOnlyAccess" policy to the role
        • Then use the role ARN in task definition

Links

• Amazon Elastic Container Service
• AWS Fargate - Product Page
• ECS Fargate - Developer Guide
• IAM Roles for Tasks

End Song
Beauty in Rhythm (Fredy Grogan Remix) - Roy England

For a full transcription of this episode, please visit the episode webpage.

We'd love to hear from you! You can reach us at:

• Web: https://mobycast.fm
• Voicemail: 844-818-0993
• Email: ask@mobycast.fm
• Twitter: https://twitter.com/hashtag/mobycast
• Reddit: https://reddit.com/r/mobycast