How do I set an ECS task role to pull ECR images on AWS?
To set up an ECS task role that allows pulling images from ECR, we need to define several elements. We need to create an IAM role that your ECS Task can assume, and attach a policy that grants permission to pull images from ECR. Alongside this, we’ll also set up a policy attachment to link the IAM role with the necessary permissions.
Here’s what we’ll be doing in the configuration:
- Create an IAM role with the appropriate trust relationship for ECS tasks to assume the role.
- Attach a policy to the IAM role that allows necessary ECR actions like
ecr:GetDownloadUrlForLayer
,ecr:BatchGetImage
, andecr:BatchCheckLayerAvailability
. - Create an ECS task definition that includes the created IAM role.
- Set up stack exports for better observability.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Create IAM role for ECS task execution
const ecsTaskExecutionRole = new aws.iam.Role("ecs_task_execution_role", {
name: "ecsTaskExecutionRole",
assumeRolePolicy: JSON.stringify({
Statement: [{
Action: "sts:AssumeRole",
Effect: "Allow",
Principal: {
Service: "ecs-tasks.amazonaws.com",
},
}],
Version: "2012-10-17",
}),
});
// Attach AmazonECSTaskExecutionRolePolicy policy to the IAM role
const ecsTaskExecutionRolePolicyAttachment = new aws.iam.RolePolicyAttachment("ecs_task_execution_role_policy_attachment", {
role: ecsTaskExecutionRole.name,
policyArn: "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
});
// Create custom inline policy to allow additional ECR actions
const ecrAccessPolicy = new aws.iam.Policy("ecr_access_policy", {
name: "ecrAccessPolicy",
policy: JSON.stringify({
Statement: [{
Action: [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
],
Effect: "Allow",
Resource: "*",
}],
Version: "2012-10-17",
}),
});
// Attach custom policy to the ECS task execution role
const ecrAccessPolicyAttachment = new aws.iam.RolePolicyAttachment("ecr_access_policy_attachment", {
role: ecsTaskExecutionRole.name,
policyArn: ecrAccessPolicy.arn,
});
// Example ECS task definition
const exampleTask = new aws.ecs.TaskDefinition("example_task", {
family: "exampleTaskFamily",
networkMode: "awsvpc",
requiresCompatibilities: ["FARGATE"],
cpu: "256",
memory: "512",
executionRoleArn: ecsTaskExecutionRole.arn,
containerDefinitions: JSON.stringify([{
name: "example-container",
image: "123456789012.dkr.ecr.us-west-2.amazonaws.com/example-repo:latest",
essential: true,
memory: 512,
cpu: 256,
portMappings: [{
containerPort: 80,
hostPort: 80,
protocol: "tcp",
}],
}]),
});
export const ecsTaskExecutionRoleArn = ecsTaskExecutionRole.arn;
export const ecsTaskDefinitionArn = exampleTask.arn;
In this configuration, we:
- Create an IAM role that can be assumed by ECS tasks.
- Attach the AmazonECSTaskExecutionRolePolicy managed policy to this role to grant required ECS task permissions.
- Define and attach a custom policy to allow pulling images from ECR.
- Create an ECS task definition that uses this role.
- Export the ARNs of the ECS task role and task definition for reference.
This setup ensures that your ECS tasks have the necessary permissions to pull container images from AWS ECR, enabling smooth operations and deployments.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.