Create an IAM (Identity and Access Management) role for the Fargate tasks – give permissions to access RDS, EFS and Systems Manager. This will later be set as the ECS Task Role. You also need to create a task execution role for the Fargate platform to access other AWS services – This will be used for access to SSM Parameter Store (used for storing key-value pairs and secrets)

ECS Task Role

IAM > Roles > Create role
Elastic Container Service > Elastic Container Service Task >
Role Name: ecs-task-full-access
Allows ECS tasks to call RDS, EFS and SSM with full access.

Policies

• AmazonRDSFullAccess
• AmazonElasticFileSystemFullAccess
• AmazonSSMReadOnlyAccess

ECS Task Execution Role

Create a new ECS Task Execution Role, used by the Fargate platform itself to connect with

Create Role > Elastic Container Service Task > Add policy: AmazonECSTaskExecutionRolePolicy
Name: ECSCustomTaskExecutionRole > Save

Add an inline policy to the ECS Task Execution Role

IAM > Roles > ECSCustomTaskExecutionRole > Add inline policy > JSON

{
    "Version":"2012-10-17",
    "Statement":[
       {
          "Sid":"VisualEditor0",
          "Effect":"Allow",
          "Action":"secretsmanager:GetSecretValue",
          "Resource":"arn:aws:secretsmanager:ap-southeast-1:309159740832:secret:"       
       },       
      {          
           "Sid":"VisualEditor1",
          "Effect":"Allow",
          "Action":"ssm:GetParameters",
          "Resource":[             
              "arn:aws:ssm:ap-southeast-1:309159740832:parameter/",
              "arn:aws:secretsmanager:ap-southeast-1:309159740832:secret:*"
          ]
       }
    ]
 }

Review Policy > Name: ParameterStoreReadAccess > Create