Create an IAM (Identity and Access Management) role for the Fargate tasks – give permissions to access RDS, EFS and Systems Manager. This will later be set as the ECS Task Role. You also need to create a task execution role for the Fargate platform to access other AWS services – This will be used for access to SSM Parameter Store (used for storing key-value pairs and secrets)
ECS Task Role
IAM > Roles > Create role
Elastic Container Service > Elastic Container Service Task >
Role Name: ecs-task-full-access
Allows ECS tasks to call RDS, EFS and SSM with full access.
Policies
- AmazonRDSFullAccess
- AmazonElasticFileSystemFullAccess
- AmazonSSMReadOnlyAccess
ECS Task Execution Role
Create a new ECS Task Execution Role, used by the Fargate platform itself to connect with
Create Role > Elastic Container Service Task > Add policy: AmazonECSTaskExecutionRolePolicy
Name: ECSCustomTaskExecutionRole > Save
Add an inline policy to the ECS Task Execution Role
IAM > Roles > ECSCustomTaskExecutionRole > Add inline policy > JSON
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"VisualEditor0",
"Effect":"Allow",
"Action":"secretsmanager:GetSecretValue",
"Resource":"arn:aws:secretsmanager:ap-southeast-1:309159740832:secret:"
},
{
"Sid":"VisualEditor1",
"Effect":"Allow",
"Action":"ssm:GetParameters",
"Resource":[
"arn:aws:ssm:ap-southeast-1:309159740832:parameter/",
"arn:aws:secretsmanager:ap-southeast-1:309159740832:secret:*"
]
}
]
}
Review Policy > Name: ParameterStoreReadAccess > Create