Amazon Batch execution IAM role
The execution role grants the Amazon ECS container and Amazon Fargate agents permission to make Amazon API calls on your behalf.
Note
The execution role is supported by Amazon ECS container agent version 1.16.0 and later.
The execution IAM role is required depending on the requirements of your task. You can have multiple execution roles for different purposes and services associated with your account.
Note
For information about the Amazon ECS instance role, see Amazon ECS instance role. For information about service roles, see How Amazon Batch works with IAM.
Amazon ECS provides the AmazonECSTaskExecutionRolePolicy
managed policy. This policy
contains the required permissions for the common use cases described above. It might be
necessary to add inline policies to your execution role for the special use cases outlined
below.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] }
You can use the following procedure to check that your account already has the execution role and to attach the managed IAM policy, if needed.
To check for the
ecsTaskExecutionRole
in the IAM console
Open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane, choose Roles.
-
Search the list of roles for
ecsTaskExecutionRole
. If you can't find the role, see Creating the execution IAM role. If you found the role, choose the role to view the attached policies. -
On the Permissions tab, verify that the AmazonECSTaskExecutionRolePolicy managed policy is attached to the role. If the policy is attached, your execution role is properly configured. If not, follow the substeps below to attach the policy.
-
Choose Add permissions, then choose Attach policies.
-
Search for AmazonECSTaskExecutionRolePolicy.
-
Check the box to the left of the AmazonECSTaskExecutionRolePolicy policy and choose Attach policies.
-
-
Choose Trust relationships.
-
Verify that the trust relationship contains the following policy. If the trust relationship matches the policy below, the role is configured correctly. If the trust relationship does not match, choose Edit trust policy, enter the following, and choose Update policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
Creating the execution IAM role
If your account doesn't already have an execution role, use the following steps to create the role.
To create the ecsTaskExecutionRole
IAM role
Open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane, choose Roles.
-
Choose Create role.
-
For Trusted entity type, choose Amazon Web Service.
-
For Service or use case, choose EC2. Then choose EC2 again.
-
Choose Next.
-
For Permissions policies, search for AmazonECSTaskExecutionRolePolicy.
-
Choose the check box to the left of the AmazonECSTaskExecutionRolePolicy policy, and then choose Next.
-
For Role Name, enter
ecsTaskExecutionRole
and then choose Create role.