stackoom
  简体   繁体   中英

AWS - IAM Roles between Fargate instances and other AWS services

 原文  2023-01-30 23:20:43       amazon-web-services/ amazon-iam/ amazon-ecs

Question

Here I have a task definition for Fargate to launch a microservice inside. It isnt important what this microservice does. My question is about the two properties below:

ExecutionRoleArn: !GetAtt ECSTaskRole.Arn

TaskRoleArn: !GetAtt ECSTaskRole.Arn

and here is the TaskDefinition for Fargate/Microservice, again the microservice here isnt important.

TaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties: 
      RequiresCompatibilities:
        - "FARGATE"
      ContainerDefinitions: 
        - Environment:
            - Name: DEST_BUCKET
              Value: !Ref BucketName
            - Name: SOURCE_QUEUE_URL
              Value: !Ref ConversionQueue
          Essential: True
          Image: !Sub '${AWS::AccountId}.dkr.ecr.${AWS::Region}.amazonaws.com/${EcrRepo}'
          LogConfiguration: 
            LogDriver: awslogs
            Options: 
              awslogs-group : !Ref LogGroup
              awslogs-region : !Ref AWS::Region
              awslogs-stream-prefix : ecs
          Name: 'conversion'
      Cpu: '256'
      ExecutionRoleArn: !GetAtt ECSTaskRole.Arn
      Family: 'conversion-taskdefinition'
      Memory: '512'
      NetworkMode: awsvpc
      TaskRoleArn: !GetAtt ECSTaskRole.Arn

and here is the ECSTaskRole:

  ECSTaskRole:
    Type: AWS::IAM::Role
    Properties:
      Description: 'IAM Role for conversion-service tasks'
      RoleName: 'conversion-taskrole'
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ecs-tasks.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: root
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow 
                Action: 
                  - "s3:PutObject"
                Resource: !Join
                  - ''
                  - - 'arn:aws:s3:::'
                    - !Ref S3Bucket
                    - /*
              - Effect: Allow
                Action: 
                  - sqs:*"
                Resource: !GetAtt ConversionQueue.Arn

So if I understand the IAM and FARGATE relationship properly, the Fargate instances specified in the task definition assumes the ECSTaskRole which defines what the instances are allowed to do?

1 answers

solution1
 2 ACCPTED  2023-01-30 23:30:55

Fargate instances specified in the task definition assumes the ECSTaskRole which defines what the instances are allowed to do?

Yes. TaskRoleArn role is assumed by the fargate task, so that your application running on the fargate can interact with AWS, eg access S3.

ExecutionRoleArn is for the ECS service itself, so that the service, not your application, can access AWS resources required to actually run your image, eg access ECR to download your docker image.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Mimic user permissions on AWS EC2 instances using IAM roles Limiting other AWS IAM roles from interacting with resources/privilege escalation How can I generate a list of all my IAM roles and the services using those roles on AWS Limit AWS IAM role to modify only specific IAM permissions of other roles? Problem with AWS iam and JQ filtering roles The nature of Amazon EC2 instances and other AWS services Difference between IAM role and IAM user in AWS Fargate tasks not calling aws services without aws configure AWS IAM Roles : How to identify specific permission for each AWS service IAM role to access services of another AWS account
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM