IAM roles for Amazon ECS - Amazon Elastic Container Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM roles for Amazon ECS

An IAM role is an IAM identity that you can create in your account that has specific permissions. In Amazon ECS, you can create roles to grant permissions to Amazon ECS resource such as containers or services.

The roles Amazon ECS requires depend on the task definition launch type and the features that you use. Use the following table to determine which IAM roles you need for Amazon ECS.

Role Definition When required More information
Task execution role This role allows Amazon ECS to use other Amazon services on your behalf.

Your task is hosted on Amazon Fargate and:

  • pulls a container image from an Amazon ECR private repository.

  • pulls a container image from an Amazon ECR private repository in a different account from the account that runs the task.

  • sends container logs to CloudWatch Logs using the awslogs log driver.

Your task is hosted on either Amazon Fargate or Amazon EC2 instances and:

  • uses private registry authentication.

  • uses Runtime Monitoring.

  • the task definition references sensitive data using Secrets Manager secrets or Amazon Systems Manager Parameter Store parameters.

 Amazon ECS task execution IAM role
Task role This role allows your application code (on the container) to use other Amazon services. Your application accesses other Amazon services, such as Amazon S3. Amazon ECS task IAM role
Container instance role This role allows your EC2 instances or external instances to register with the cluster. Your task is hosted on Amazon EC2 instances or an external instance. Amazon ECS container instance IAM role
Amazon ECS Anywhere role This role allows your external instances to access Amazon APIs. Your task is hosted on external instances. Amazon ECS Anywhere IAM role
Amazon ECS CodeDeploy role This role allows CodeDeploy to make updates to your services. You use the CodeDeploy blue/green deployment type to deploy services. Amazon ECS CodeDeploy IAM Role
Amazon ECS EventBridge role This role allows EventBridge to make updates to your services. You use the EventBridge rules and targets to schedule your tasks. Amazon ECS EventBridge IAM Role
Amazon ECS infrastructure role This role allows Amazon ECS to manage infrastructure resources in your clusters.

  • You want to attach Amazon EBS volumes to your Fargate or EC2 launch type Amazon ECS tasks. The infrastructure role allows Amazon ECS to manage Amazon EBS volumes for your tasks.

  • You want to use Transport Layer Security (TLS) to encrypt traffic between your Amazon ECS Service Connect services.