IAM roles for Amazon ECS
An IAM role is an IAM identity that you can create in your account that has specific permissions. In Amazon ECS, you can create roles to grant permissions to Amazon ECS resource such as containers or services.
The roles Amazon ECS requires depend on the task definition launch type and the features that you use. Use the following table to determine which IAM roles you need for Amazon ECS.
Role | Definition | When required | More information |
---|---|---|---|
Task execution role | This role allows Amazon ECS to use other AWS services on your behalf. |
Your task is hosted on AWS Fargate or on external instances and:
Your task is hosted on either AWS Fargate or Amazon EC2 instances and:
|
Amazon ECS task execution IAM role |
Task role | This role allows your application code (on the container) to use other AWS services. | Your application accesses other AWS services, such as Amazon S3. | Amazon ECS task IAM role |
Container instance role | This role allows your EC2 instances or external instances to register with the cluster. | Your task is hosted on Amazon EC2 instances or an external instance. | Amazon ECS container instance IAM role |
Amazon ECS Anywhere role | This role allows your external instances to access AWS APIs. | Your task is hosted on external instances. | Amazon ECS Anywhere IAM role |
Amazon ECS CodeDeploy role | This role allows CodeDeploy to make updates to your services. | You use the CodeDeploy blue/green deployment type to deploy services. | Amazon ECS CodeDeploy IAM Role |
Amazon ECS EventBridge role | This role allows EventBridge to make updates to your services. | You use the EventBridge rules and targets to schedule your tasks. | Amazon ECS EventBridge IAM Role |
Amazon ECS infrastructure role | This role allows Amazon ECS to manage infrastructure resources in your clusters. |
|
Amazon ECS infrastructure IAM role |