I need to do some initialisation that needs access to certain AWS resources during my docker entrypoint.
My application could also do with implicit role based access to AWS rather than configuring the key pair in app config.
How do IAM roles work in tasks ? I could only find IAM role documentation on ECS container instances.
The ECS task will assume the IAM Role/Instance Profile of the given container. There is no task level way to assign a different IAM Role.
Amazon ECS Container Instance IAM Role
The Amazon ECS container agent makes calls to the Amazon ECS API actions on your behalf, so container instances that run the agent require an IAM policy and role for the service to know that the agent belongs to you. Before you can launch container instances and register them into a cluster, you must create an IAM role for those container instances to use when they are launched. This requirement applies to container instances launched with the Amazon ECS-optimized AMI provided by Amazon, or with any other instances that you intend to run the agent on.