Table of Contents
- IAM Setup
- Setup IAM Role for EC2 Instances to Register It Self with ECS
- Setup IAM Role for ECS Task to Access Secrets Manager (A Task Role)
- Setup IAM Role for ECS to Get Access to Other AWS Resources On Startup (A Task Execution Role)
IAM Setup
We need to create some IAM roles that will be used by EC2 instances to register themselves with the ECS cluster and grant ECS tasks permissions to access other AWS resources, such as ECR during deployment and secrets manager after deployment. The diagram below visualizes what we will be doing.
Setup IAM Role for EC2 Instances to Register It Self with ECS
Before we create the ECS Cluster, we will create a lunch template which will be used by an autoscaling group to spin up EC2 instances which will install docker and ecs agents on. This ecs agent will help the ec2 instances appear or get registered within the ECS cluster. But before the EC2 instances can be registered within the ECS cluster, it needs an IAM role with AmazonEC2ContainerServiceforEC2Role policy attached to it for it to work. Lets go ahead to create it then.
Search and select IAM Role
Click on Roles and click Create role
Select AWS service, then under Service or use case select EC2
Select EC2 and click on Next
In the search bar, search for the AmazonEC2ContainerServiceforEC2Role policy and select it. Ensure you select only that policy.
Provide the IAM Role name items-ecs-ec2-role
Click on Create role to create the IAM role.
Setup IAM Role for ECS Task to Access Secrets Manager (A Task Role)
Our sample application connects to a database on startup. The database credentials such as username, password, host etc.. are stored in AWS secrets manager. For the task to be able to get access to these secrets, it needs an IAM role with SecretsManagerReadWrite policy attached to it to be able to do that. Lets go ahead to create it then.
Click on Roles and click Create role
Select AWS Service and type Elastic Container Service in the search bar and select it.
Under Use case select Elastic Container Service Task and click on Next
Search for SecretsManagerReadWrite in the search bar, select it and click next.
Provide the role name items-ecs-task-role
Click Create role to create the role
Setup IAM Role for ECS to Get Access to Other AWS Resources On Startup (A Task Execution Role)
During ECS Service deployment, ECS task needs access to Elastic Container Registry (ECS), Cloud Watch Logs etc.. This role will be used by the ECS Task to access these other aws resources during deployment. One good example is when your using aws ECR, this role will help the ECS Task pull the images from ECR and deploy it.
Note: Task Execution Role is different from Task Role. Task Execution Role is only needed during deployment of a service or a Task whiles Task Role is needed when the Task need to access other aws service after deployment.
Click on Roles and click Create role
Select AWS Service and type Elastic Container Service in the search bar and select it.
Under Use case select Elastic Container Service Task and click on Next
Search for AmazonECSTaskExecutionRolePolicy in the search bar, select it and click next.
Provide the role name items-ecs-task-execution-role
Click Create role to create the role
List of all IAM Roles Create
Now that we have successfully created all our required IAM roles, let's continue by setting up our VPCs.