Enabling IAM roles for ECS tasks by default
TypeScriptEnabling IAM roles for ECS tasks is crucial because it allows the tasks to have the necessary permissions to access other AWS services. Amazon Elastic Container Service (ECS) allows you to run containerized applications on a managed cluster of EC2 instances or with serverless infrastructure using Fargate. To enable IAM roles for ECS tasks by default, you need to define an ECS Task Definition and associate it with an IAM role that grants the permissions your tasks need.
Here is a Pulumi program in TypeScript that demonstrates how to create an ECS task definition with an IAM role, which is automatically assumed by the tasks when they are launched:
import * as aws from "@pulumi/aws"; // Create an IAM role that your ECS tasks will assume const taskExecRole = new aws.iam.Role("taskExecRole", { assumeRolePolicy: { Version: "2012-10-17", Statement: [ { Action: "sts:AssumeRole", Effect: "Allow", Principal: { Service: "ecs-tasks.amazonaws.com", }, }, ], }, }); // Attach the AmazonECSTaskExecutionRolePolicy to the role const taskExecRolePolicyAttachment = new aws.iam.RolePolicyAttachment("taskExecRolePolicyAttachment", { role: taskExecRole.name, policyArn: "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", }); // Create an ECS Task Definition, specifying the IAM role const taskDefinition = new aws.ecs.TaskDefinition("appTaskDef", { family: "myApp", networkMode: "awsvpc", // 'awsvpc' mode is required for Fargate requiresCompatibilities: ["FARGATE"], cpu: "256", // CPU value for the task memory: "512", // Memory value for the task executionRoleArn: taskExecRole.arn, // Associate the execution role with the task definition containerDefinitions: `[{ "name": "myContainer", "image": "myrepo/myimage", "memory": 512, "cpu": 256, "essential": true, "portMappings": [{ "containerPort": 80, "hostPort": 80 }] }]`, }, { dependsOn: [taskExecRolePolicyAttachment], // Ensure the policy is attached to the role before creating the task definition }); // Export the ECS Task Definition ARN export const taskDefinitionArn = taskDefinition.arn;
In this program, the following resources are created:
- IAM Role (
taskExecRole
): An IAM role for ECS tasks that allows the ECS service to assume it. - IAM Role Policy Attachment (
taskExecRolePolicyAttachment
): Attaches the AWS managedAmazonECSTaskExecutionRolePolicy
to the IAM role. This policy provides the permissions necessary for the ECS tasks to fetch container images and log to CloudWatch, among other things. - ECS Task Definition (
taskDefinition
): Defines a task with the needed parameters such as network mode, CPU and memory requirements, and importantly, assigns the IAM Execution Role to it.
By setting an
executionRoleArn
in the task definition, any task that is launched with this definition will automatically have the permissions that are associated with the attached IAM role. This sets up a default behavior, where tasks don't need to explicitly specify an IAM role each time; they inherit it from the task definition.The
dependsOn
option ensures that the IAM policy is attached to the role before thetaskDefinition
is created, preventing a possible race condition.Don't forget to replace "myrepo/myimage" with your actual container image in the
containerDefinitions
.Also, note that this code is for deploying tasks in AWS Fargate, where you don't manage the underlying servers. If you are using EC2 instances to run your containers, you would adjust the
requiresCompatibilities
andnetworkMode
accordingly.To run this Pulumi program, save it in a file named
index.ts
, make sure you have set up your AWS credentials and Pulumi, install the necessary dependencies by runningnpm install @pulumi/aws
, and then execute it by runningpulumi up
. This will create the AWS resources as specified in the program.- IAM Role (