I'm trying to get an AWS ECS hello world working but I'm confused by how task definition roles are mapping to actual roles on my EC2 instances.
When creating a task definition, there is the "Task role", which I left as "None" and the "Task execution role", which I let auto-create and fill in as "ecsTaskExecutionRole". However, when I do a deployment the EC2 instances are listed with the IAM role "ecsInstanceRole", which was also auto-created along with "ecsTaskExecutionRole".
To my understanding:
the "Task role" is a role assumed internally by containers to allow them to e.g. access S3, so it's fine to leave that as None since I don't need to access any other AWS resources.
the "Task execution role" is assumed by the container agent, so I was expecting this to show up as the role of the EC2 instance, but instead I'm seeing the EC2 instance assigned the "ecsInstanceRole" and the "ecsTaskExecutionRole" appears to have no activity whatsoever.
Is this the expected behavior?
This is the role assumed by the EC2 instance that allows gives it permission to register itself with the ECS cluster. This role is not used if you are deploying to Fargate instead of EC2.
This is the role assumed by the AWS ECS service itself, in order to access the things it needs to deploy your ECS task. This is used for things like accessing ECR to pull your container image, to push your task's logs to CloudWatch, and to pull secrets from SecretsManager or SSM Parameter Store if you have those configured in your task definition.
This is the role provided to any code running in your ECS Task container that needs to make calls to AWS services. This role is optional, and only needed if you have code inside your container that is using the AWS CLI tool or AWS SDK to make calls to the AWS API.
the "Task execution role" is assumed by the container agent, so I was expecting this to show up as the role of the EC2 instance, but instead I'm seeing the EC2 instance assigned the "ecsInstanceRole" and the "ecsTaskExecutionRole" appears to have no activity whatsoever.
If you are deploying to EC2 then there is some overlap with these two roles. The Instance Role is the role assumed by the ECS agent running on the EC2 instance. The documentation states that the Task Execution Role is still used in EC2 deployments for the purposes of pulling secret values out of Secrets Manager and SSM Parameter store, and for accessing private image registries.