Amazon ECS instance role
AWS Batch compute environments are populated with Amazon ECS container instances. They run the Amazon ECS container agent locally. The Amazon ECS container agent makes calls to various AWS API operations on your behalf. Therefore, container instances that run the agent require an IAM policy and role for these services to recognize that the agent belongs to you. You must create an IAM role and an instance profile for the container instances to use when they're launched. Otherwise, you can't create a compute environment and launch container instances into it. This requirement applies to container instances launched with or without the Amazon ECS optimized AMI provided by Amazon. For more information, see Amazon ECS container instance IAM role in the Amazon Elastic Container Service Developer Guide.
The Amazon ECS instance role and instance profile are automatically created for you in the console first-run experience. However, you can follow these steps to check if your account already has the Amazon ECS instance role and instance profile. The following steps also cover how to attach the managed IAM policy.
To check for the ecsInstanceRole
in
the IAM console
Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Roles.
-
Search the list of roles for
ecsInstanceRole
. If the role doesn't exist, use the following steps to create the role.-
Choose Create Role.
-
For Trusted entity type, choose AWS service.
-
For Common use cases, choose EC2.
-
Choose Next.
-
For Permissions policies, search for AmazonEC2ContainerServiceforEC2Role.
-
Choose the check box next to AmazonEC2ContainerServiceforEC2Role, then choose Next.
-
For Role Name, type
ecsInstanceRole
and choose Create Role.Note
If you use the AWS Management Console to create a role for Amazon EC2, the console creates an instance profile with the same name as the role.
-
Alternatively, you can use the AWS CLI to create the ecsInstanceRole
IAM role.
The following example creates an IAM role with a trust policy and an AWS managed
policy.
To create an IAM role and instance profile (AWS CLI)
-
Create the following trust policy and save it in a text file that's named
ecsInstanceRole-role-trust-policy.json
.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com"}, "Action": "sts:AssumeRole" } ] }
-
Use the create-role command to create the
ecsInstanceRole
role. Specify the trust policy file location in theassume-role-policy-document
parameter.$
aws iam create-role \ --role-name ecsInstanceRole \ --assume-role-policy-document file://ecsInstanceRole-role-trust-policy.json
The following is an example response.
{ "Role": { "Path": "/", "RoleName: "ecsInstanceRole", "RoleId": "AROAT46P5RDIY4EXAMPLE", "Arn": "arn:aws:iam::123456789012:role/ecsInstanceRole". "CreateDate": "2022-12-12T23:46:37.247Z", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service: "ec2.amazonaws.com" } "Action": "sts:AssumeRole", } ] } }
-
Use the create-instance-profile command to create an instance profile that's named
ecsInstanceRole
.Note
You need to create roles and instance profiles as separate actions in the AWS CLI and AWS API.
$
aws iam create-instance-profile --instance-profile-name ecsInstanceRole
The following is an example response.
{ "InstanceProfile": { "Path": "/", "InstanceProfileName": "ecsInstanceRole", "InstanceProfileId": "AIPAT46P5RDITREXAMPLE", "Arn": "arn:aws:iam::123456789012:instance-profile/ecsInstanceRole", "CreateDate": "2022-06-30T23:53:34.093Z", "Roles": [], } }
-
Use the add-role-to-instance-profile command to add the
ecsInstanceRole
role to theecsInstanceRole
instance profile.aws iam add-role-to-instance-profile \ --role-name ecsInstanceRole --instance-profile-name ecsInstanceRole
-
Use the attach-role-policy command to attach the
AmazonEC2ContainerServiceforEC2Role
AWS managed policy to theecsInstanceRole
role.$
aws iam attach-role-policy \ --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role \ --role-name ecsInstanceRole