Using IAM

Amazon ECS is integrated with, and makes use of, several other AWS services, including Elastic Load Balancing and EC2. ECS makes use of service-linked roles, which are special types of roles associated with a service to provide access to the required AWS services without additional configuration. ECS makes use of the AWSServiceRoleForECS role to access other AWS services for managing EC2 network interfaces, registering/deregistering instances from a load balancer, and registering targets. A root user does not require any additional configuration to be able to use ECS with Fargate.

Problem: An IAM user does not have permission to create or modify ECS resources or invoke the ECS API by default. An IAM user also does not have permissions to use the ECS Console or the AWS CLI.

Solution: An IAM user must be granted permission to create the AWSServiceRoleForECS role. An IAM policy may be created and associated with an IAM user to grant the requisite permissions to use some of the other AWS services. Some of the AWS services that may be required to run Amazon ECS include:

  • Calls to Amazon ECR to pull Docker images
  • Calls to CloudWatch Logs to store container logs

 The AmazonECSTaskExecutionRolePolicy policy is provided to grant permissions for using the aforementioned ECS services.

Some of the Elastic Load Balancing permissions are not included in the AWSServiceRoleForECS role and an IAM policy may be required to be added to use Elastic Load Balancing. The AmazonEC2ContainerServiceRole policy may be used to register/deregister container instances with load balancers. The service auto scaling IAM role (ecsAutoscaleRole) is required to configure auto scaling. An IAM user must add ecsAutoscaleRole, which must include the AmazonEC2ContainerServiceAutoscaleRole policy. To be able to use IAM roles for tasks, the Amazon EC2 Container Service Task Role policy must be added.

The AmazonEC2ContainerServiceforEC2Role policy is not required with the Fargate launch type, as it is provided for the EC2 launch type only.

In this chapter, we will learn about the following:

  • Creating an IAM User
  • Adding a custom policy for Elastic Load Balancing
  • Logging in as the IAM User

The only prerequisite is an AWS account.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.147.72.74