Difference between task role and execution role in AWS ECS
Today, I want to explain the difference between a task role and an execution role in AWS ECS. Yesterday, I set up AWS ECS for a UAT environment and defined both roles. Let me clarify what a task role and an execution role are, when they are needed, and who uses them.
ECS Task Execution role
In my setup, my container needs to access ECR for pulling Docker images and needs to send logs to CloudWatch. My container needs to retrieve the DB password from AWS Secrets Manager. If I didn't define this execution role, my container couldn't pull images from ECR, send logs to CloudWatch, or retrieve the password from AWS Secrets Manager. This task execution role is performed before your container enters the running state.
Who use it?
The ECS agent uses it, not your application code.
When is it used?
Before container even starts running.
What is it for?
Pull images from Amazon Elastic Container Registry (ECR)
Send container logs to Amazon CloudWatch
Retrieve secrets from AWS Secrets Manager
Retrieve parameters from AWS Systems Manager
ECS Task role
My application code (business logic) needs to upload PDF files to AWS S3, store tracking info in Amazon DynamoDB, and push notifications from Amazon SNS. The ECS task role is not used by the ECS agent, this role is only used by your application code inside the container. If the task role is miss your application is run but can't access AWS API calls.
Who use it?
My application code inside the container.
When is it used?
After the container start running.
What is it for?
To allow my application to access AWS services.
Examples:
Read/write to Amazon S3
Send messages to Amazon Simple Queue Service
Publish to Amazon Simple Notification Service
Access Amazon DynamoDB
Call other AWS APIs
I hope you understand the difference between a task role and an execution role in AWS ECS.
