Reputation: 1968
Difference between AWS Elastic Container Service's (ECS) ExecutionRole and TaskRole
I'm using AWS's CloudFormation, and I recently spent quite a bit of time trying to figure out why the role I had created and attached policies to was not enabling my ECS task to send a message to a Simple Queue Service (SQS) queue.
I realized that I was incorrectly attaching the SQS permissions policy to the Execution Role when I should have been attaching the policy to the Task Role. I cannot find good documentation that explains the difference between the two roles. CloudFormation documentation for the two of them are here: ExecutionRole and TaskRole
Upvotes: 157
Views: 57933
Answers (4)
Reputation: 4285
All answers provided so far are correct. Adding another viewpoint, in an attempt to make it bit easier for those who still need further clarification.
Task Role: The ECS set up has some containers. These containers perform some tasks for which they are created. To perform those tasks containers need to call other AWS services. Which such service can be called is defined by the Task Role. So, this is container's role required for a task.
Task Execution Role: To set up the container itself and maintain that, some tasks are performed. Container Agent performs those tasks for the container. So, the role required & assumed by Container Agent to set up the container is Task Execution Role.
Upvotes: 2
Reputation: 187
The Execution Role is for the ECS service. The Task Role is for the task.
Upvotes: 1
Reputation: 503
ECS task execution role is capabilities of ECS agent (and container instance), e.g:
- Pulling a container image from Amazon ECR
- Using the awslogs log driver
ECS task role is specific capabilities within the task itself, e.g:
- When your actual code runs
Upvotes: 49
Reputation: 4476
Referring to the documentation you can see that the execution role is the IAM role that executes ECS actions such as pulling the image and storing the application logs in cloudwatch.
The TaskRole then, is the IAM role used by the task itself. For example, if your container wants to call other AWS services like S3, SQS, etc then those permissions would need to be covered by the TaskRole.
Using a TaskRole is functionally the same as using access keys in a config file on the container instance. Using access keys in this way is not secure and is considered very bad practice. I include this in the answer because many people reading this already understand access keys.
Upvotes: 194
Related Questions
- What is the difference between a task and a service in AWS ECS?
- What is the difference between executionRoleArn and taskRoleArn and how to find them?
- Difference between AWS ECS Service Type Daemon & Constraint "One Task Per Host"
- Container instance IAM role vs Task execution role
- Task execution role for ECS tasks - Cloudformation
- Difference between TaskInstanceIAMRole and ECSExecutionRole in TaskDefinition Properties
- ECS: TaskExecutionRole for container
- Difference between service role and service role for an EC2 instance?
- How to assign IAM Role for ECS Task
- AWS cli within task/container uses instance role policy and not task role