Amazon Batch execution IAM role - Amazon Batch
Creating the execution IAM role
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Batch execution IAM role

The execution role grants the Amazon ECS container and Amazon Fargate agents permission to make Amazon API calls on your behalf.

Note

The execution role is supported by Amazon ECS container agent version 1.16.0 and later.

The execution IAM role is required depending on the requirements of your task. You can have multiple execution roles for different purposes and services associated with your account.

Note

For information about the Amazon ECS instance role, see Amazon ECS instance role. For information about service roles, see How Amazon Batch works with IAM.

Amazon ECS provides the AmazonECSTaskExecutionRolePolicy managed policy. This policy contains the required permissions for the common use cases described above. It might be necessary to add inline policies to your execution role for the special use cases outlined below.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "*"
    }
  ]
}

You can use the following procedure to check that your account already has the execution role and to attach the managed IAM policy, if needed.

To check for the ecsTaskExecutionRole in the IAM console

  1. Open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Roles.

  3. Search the list of roles for ecsTaskExecutionRole. If you can't find the role, see Creating the execution IAM role. If you found the role, choose the role to view the attached policies.

  4. On the Permissions tab, verify that the AmazonECSTaskExecutionRolePolicy managed policy is attached to the role. If the policy is attached, your execution role is properly configured. If not, follow the substeps below to attach the policy.

    1. Choose Add permissions, then choose Attach policies.

    2. Search for AmazonECSTaskExecutionRolePolicy.

    3. Check the box to the left of the AmazonECSTaskExecutionRolePolicy policy and choose Attach policies.

  5. Choose Trust relationships.

  6. Verify that the trust relationship contains the following policy. If the trust relationship matches the policy below, the role is configured correctly. If the trust relationship does not match, choose Edit trust policy, enter the following, and choose Update policy.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Creating the execution IAM role

If your account doesn't already have an execution role, use the following steps to create the role.

To create the ecsTaskExecutionRole IAM role

  1. Open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Roles.

  3. Choose Create role.

  4. For Trusted entity type, choose Amazon Web Service.

  5. For Service or use case, choose EC2. Then choose EC2 again.

  6. Choose Next.

  7. For Permissions policies, search for AmazonECSTaskExecutionRolePolicy.

  8. Choose the check box to the left of the AmazonECSTaskExecutionRolePolicy policy, and then choose Next.

  9. For Role Name, enter ecsTaskExecutionRole and then choose Create role.