I am running a AWS ECS faragate task , I have noticed that in the task roles both task role and task execution role is set to ecstaskexecutionrole that contains the AmazonECSTaskExecutionRolePolicy, I want to give access to the S3 bucket to my task using amazonS3fullAccess,I understand that the task execution role must contain the AmazonECSTaskExecutionRolePolicy to function, the question is that can I safely remove the task role and replace it with a new role containing the amazonS3FullAccess aws task role selected roles
Should I create a new role containing both amazonS3FullAccess and AmazonECSTaskExecutionRolePolicy or just the amazonS3FullAccess
TL;DR
the question is that can I safely remove the task role and replace it with a new role containing the amazonS3FullAccess aws task role selected roles
Yes you can remove AmazonECSTaskExecutionRolePolicy from Task IAM role and add s3 permissions
should I create a new role containing both amazonS3FullAccess and AmazonECSTaskExecutionRolePolicy or just the amazonS3FullAccess
By new role you mean Task IAM Role and not Task execution IAM role then just amazonS3FullAccess
Note: Just S3FullAcess is too permissive (for production env) better to streamline but for dev is good.
It is also mentioned in the docs of task IAM role
These permissions aren't accessed by the Amazon ECS container and Fargate agents.
I think you need to understand the difference between Task execution IAM role and Task IAM role
Task execution IAM role: the IAM role that executes ECS actions such as pulling the image and storing the application logs in cloudwatch.
ref: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html
It has this AmazonECSTaskExecutionRolePolicyto it for Amazon ECS container and Fargate agents permission to make AWS API calls on your behalf.
It contains the following policy
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource" : "*"
}
]
}
Task IAM role : Your Amazon ECS tasks can have an IAM role associated with them. The permissions granted in the IAM role are assumed by the containers running in the task. This role allows your application code (on the container) to use other AWS services. The task role is required when your application accesses other AWS services, such as Amazon S3.
Ref: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
Example of good restricted policy
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:GetObject"
],
"Resource":[
"arn:aws:s3:::my-task-secrets-bucket/*"
],
"Condition":{
"ArnLike":{
"aws:SourceArn":"arn:aws:ecs:region:123456789012:*"
},
"StringEquals":{
"aws:SourceAccount":"123456789012"
}
}
}
]
}