Amazon ECS container instance IAM role
Amazon ECS container instances, including both Amazon EC2 and external instances, run the Amazon ECS container agent and require an IAM role for the service to know that the agent belongs to you. Before you launch container instances and register them to a cluster, you must create an IAM role for your container instances to use. The role is created in the account that you use to log into the console or run the AWS CLI commands.
Important
If you are registering external instances to your cluster, the IAM role you use requires Systems Manager permissions as well. For more information, see Amazon ECS Anywhere IAM role.
Amazon ECS provides the AmazonEC2ContainerServiceforEC2Role
managed IAM policy
which contains the permissions needed to use the full Amazon ECS feature set. This managed policy
can be attached to an IAM role and associated with your container instances.
Alternatively, you can use the managed policy as a guide when creating a custom policy to
use. The container instance role provides permissions needed for the Amazon ECS container agent
and Docker daemon to call AWS APIs on your behalf. For more information on the managed
policy, see AmazonEC2ContainerServiceforEC2Role.
Amazon ECS supports launching container instances with increased ENI density using supported
Amazon EC2 instance types. When you use this feature, we recommend that you create 2 container
instance roles. Enable the awsvpcTrunking
account setting for one role and use
that role for tasks that require ENI trunking. For information about the
awsvpcTrunking
account setting, see Access Amazon ECS features with account
settings.
Create the container instance role
Important
If you are registering external instances to your cluster, see Amazon ECS Anywhere IAM role.
You can manually create the role and attach the managed IAM policy for container instances to allow Amazon ECS to add permissions for future features and enhancements as they are introduced. Use the following procedure to attach the managed IAM policy if needed.
After you create the role, add additional permissions to the role for the following features.
Feature | Additional permissions |
---|---|
Amazon ECR has the container image |
|
Have CloudWatch Logs monitor container instances | |
Host configuration files in an Amazon S3 bucket |
Amazon ECR permissions
The Amazon ECS container instance role that you use with your container instances must have the following IAM policy permissions for Amazon ECR.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecr:GetAuthorizationToken" ], "Resource": "*" } ] }
If you use the AmazonEC2ContainerServiceforEC2Role
managed
policy for your container instances, then your role has the proper
permissions. To check that your role supports Amazon ECR, see Amazon ECS Container Instance
IAM Role in the Amazon Elastic Container Service Developer Guide.
Amazon S3 read-only access
Storing configuration information in a private bucket in Amazon S3 and granting read-only
access to your container instance IAM role is a secure and convenient way to allow
container instance configuration at launch time. You can store a copy of your
ecs.config
file in a private bucket, use Amazon EC2 user data to
install the AWS CLI and then copy your configuration information to
/etc/ecs/ecs.config
when the instance launches.
For more information about creating an ecs.config
file, storing
it in Amazon S3, and launching instances with this configuration, see Storing Amazon ECS container instance configuration in Amazon S3.
You can use the following AWS CLI command to allow Amazon S3 read-only access for your
container instance role. Replace ecsInstanceRole
with the
name of the role that you created.
aws iam attach-role-policy \ --role-name
ecsInstanceRole
\ --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
You can also use the IAM console to add Amazon S3 read-only access
(AmazonS3ReadOnlyAccess
) to your role. For more information, see Updating permissions for a role in the AWS Identity and Access Management User Guide.
Monitoring container instances permissions
Before your container instances can send log data to CloudWatch Logs, you must create an IAM
policy to allow the Amazon ECS agent to write the customer's application logs to CloudWatch
(normally handled through the awslogs
driver). After you create the policy,
attach that policy to ecsInstanceRole
.