Amazon ECS EventBridge IAM Role
Before you can use Amazon ECS scheduled tasks with EventBridge rules and targets, the EventBridge service
needs permissions to run Amazon ECS tasks on your behalf. These permissions are provided by the
EventBridge IAM role (ecsEventsRole
).
The AmazonEC2ContainerServiceEventsRole
policy is shown below.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["ecs:RunTask"], "Resource": ["*"] }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": ["*"], "Condition": { "StringLike": {"iam:PassedToService": "ecs-tasks.amazonaws.com"} } }, { "Effect": "Allow", "Action": "ecs:TagResource", "Resource": "*", "Condition": { "StringEquals": { "ecs:CreateAction": ["RunTask"] } } } ] }
If your scheduled tasks require the use of the task execution role, a task role, or a task
role override, then you must add iam:PassRole
permissions for each task
execution role, task role, or task role override to the EventBridge IAM role. For more
information about the task execution role, see Amazon ECS task execution IAM role.
Note
Specify the full ARN of your task execution role or task role override.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:PassRole", "Resource": ["arn:aws:iam::<aws_account_id>:role/<ecsTaskExecutionRole_or_TaskRole_name>"] } ] }
You can choose to let the AWS Management Console create the EventBridge role for you when you configure a scheduled task. For more information, see Using Amazon EventBridge Scheduler to schedule Amazon ECS tasks .
Creating the EventBridge role
Replace all user input
with your own information.
-
Create a file named
eventbridge-trust-policy.json
that contains the trust policy to use for the IAM role. The file should contain the following:{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
-
Use the following command to create an IAM role named
ecsEventsRole
by using the trust policy that you created in the previous step.aws iam create-role \ --role-name
ecsEventsRole
\ --assume-role-policy-document file://eventbridge-policy.json
-
Attach the AWS managed
AmazonEC2ContainerServiceEventsRole
to theecsEventsRole
role using the following command .aws iam attach-role-policy \ --role-name
ecsEventsRole
\ --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole
You can also use the IAM console's Custom trust policy workflow
(https://console.aws.amazon.com/iam/
Attaching a policy to the ecsEventsRole
role
You can use the following procedures to add permissions for the task execution role to the EventBridge IAM role.