Amazon EC2 Container Service
Developer Guide (API Version 2014-11-13)

Windows IAM Roles for Tasks

IAM roles for tasks with Windows requires extra configuration, but much of this configuration is similar to enabling IAM roles for tasks on Linux container instances. The following requirements must be met to enable IAM roles for tasks for Windows containers.

  • When you launch your container instances, you must enable the feature by setting the ECS_ENABLE_TASK_IAM_ROLE environment variable in the container instances startup script.

  • You must bootstrap your container with the networking commands that are provided in IAM Roles for Task Container Bootstrap Script.

  • You must create an IAM role and policy for your tasks. For more information, see Creating an IAM Role and Policy for your Tasks.

  • Your container must use an AWS SDK that supports IAM roles for tasks. For more information, see Using a Supported AWS SDK.

  • You must specify the IAM role you created for your tasks when you register the task definition, or as an override when you run the task. For more information, see Specifying an IAM Role for your Tasks.

  • The IAM roles for the task credential provider use port 80 on the container instance, so if you enable IAM roles for tasks on your container instance, your containers cannot use port 80 for the host port in any port mappings. To expose your containers on port 80, we recommend configuring a service for them that uses load balancing. You can use port 80 on the load balancer, and the traffic can be routed to another host port on your container instances. For more information, see Service Load Balancing.

IAM Roles for Task Container Bootstrap Script

Before containers can access the credential proxy on the container instance to get credentials, the container must be bootstrapped with the required networking commands. The following code example script should be run on your containers when they start.

Copy to clipboard
# Copyright 2014-2016, Inc. or its affiliates. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"). You may # not use this file except in compliance with the License. A copy of the # License is located at # # # # or in the "license" file accompanying this file. This file is distributed # on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either # express or implied. See the License for the specific language governing # permissions and limitations under the License. $gateway = (Get-WMIObject -Class Win32_IP4RouteTable | Where { $_.Destination -eq '' -and $_.Mask -eq '' } | Sort-Object Metric1 | Select NextHop).NextHop $ifIndex = (Get-NetAdapter -InterfaceDescription "Hyper-V Virtual Ethernet*" | Sort-Object | Select ifIndex).ifIndex New-NetRoute -DestinationPrefix -InterfaceIndex $ifIndex -NextHop $gateway