/
Configure IAM Roles for AWS ECS

Configure IAM Roles for AWS ECS

Owned by Kalpana Malladi
Last updated: yesterday at 3:18 am
4 min read

Overview

Amazon Elastic Container Service (ECS) is a fully managed container orchestration service provided by AWS. It enables you to run and manage Docker containers at scale without setting up or maintaining the underlying infrastructure. The Amazon S3 Account now supports the ECS environment (along with EC2) with IAM roles. To access the S3 bucket using the IAM role in the Amazon S3 account, you need to configure the ECS instance and store it in the IAM role. 

Key Components

  • IAM role

  • ECS instance

  • ECS Task Definition

Prerequisites

Key Steps

  1. Download the docker image from Admin Manager

  2. Push the Docker image to ECR

  3. Create an ECS Cluster

  4. Create an IAM role

  5. Define a task definition

  6. Create a service

  7. Run the service

  8. Monitor the service

Launch a container from an image in AWS ECS

Follow these steps to launch a container in ECS using an image stored in AWS Elastic Container Registry (ECR):

  1. Download the Docker image using the docker pull command from Admin Manager as shown below.
    docker pull <image_name>:<tag>

    download-docker-img.png

     

  2. Push the Docker Image to ECR.

  3. Create an ECS Cluster.

    1. In the AWS Management Console, navigate to ECS.

    2. In the Create cluster page, configure a new cluster.

    3. Select AWS Fargate (serverless) under Infrastructure.

  4. Click Create.

  5. Create an IAM role.

  6. Create a new Task definition.

    1. In the AWS Management Console, navigate to ECS Console.

    2. Click Task Definitions and select Create a new task definition with JSON.

    3. Choose the Launch type compatibility as Fargate (serverless).

    4. Configure the task definition:

      • Task name: Provide a name, for example, demo-ecs-td

      • Add a container:

        • Container name: Specify a meaningful name.

        • Image: Provide the Docker image URL, for example, snaplogic/snaplex:latest. You can copy the URL from ECR (step 2).

        • Memory Limits: Set memory and CPU resources as per your use case.

      • Add the global.properties and keys.properties in the JSON file of the task definition (as shown below) or upload the slpropz file to the S3 bucket.

"yum update -y && yum install -y wget unzip && wget 'https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip' -O 'awscliv2.zip' && unzip awscliv2.zip && ./aws/install && aws s3 cp s3://bucket_name/folder_name/global.properties/opt/snaplogic/etc/ && aws s3 cp s3://bucket_name/folder_name/keys.properties/opt/snaplogic/etc/ && chown -R snapuser:snapuser /opt/snaplogic/etc/ && /opt/snaplogic/bin/jcc.sh start && tail -f /dev/null"

  1. Save the task definition.

  2. Create a Service.

  3. Select the cluster from the Existing cluster dropdown list.

  4. Select the task definition (demo-ecs-td) you created.

  5. Navigate to your ECS cluster (demo-ecs-cluster) and create a service (demo-ecs-service).

  6. Run the Service in the ECS console.
    ECS will launch the containers using the task definition and the ECR image.

  7. Monitor the Service.
    Use the ECS Console or AWS CloudWatch to monitor your service's status and performance.

 

JSON file

{     "taskDefinitionArn": "arn:aws:ecs:us-west-2:123456789012:task-definition/my-task:1",     "containerDefinitions": [         {             "name": "testcontainer",             "image": "123456789012.dkr.ecr.us-west-2.amazonaws.com/test-image:ecr",             "cpu": 2048,             "memory": 4096,             "memoryReservation": 2048,             "portMappings": [                 {                     "name": "testcontainer-80-tcp",                     "containerPort": 8081,                     "hostPort": 8081,                     "protocol": "tcp"                 },                 {                     "name": "testcontainer1-80-tcp2",                     "containerPort": 8090,                     "hostPort": 8090,                     "protocol": "tcp"                 }             ],             "essential": true,             "command": [                 "sh",                 "-c",                 "yum update -y && yum install -y wget unzip && wget 'https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip' -O 'awscliv2.zip' && unzip awscliv2.zip && ./aws/install && aws s3 cp s3://bucket_name/folder_name/global.properties/opt/snaplogic/etc/ && aws s3 cp s3://bucket_name/folder_name/keys.properties/opt/snaplogic/etc/ && chown -R snapuser:snapuser /opt/snaplogic/etc/ && /opt/snaplogic/bin/jcc.sh start && tail -f /dev/null"             ],             "environment": [                 {                     "name": "LANG",                     "value": "en_US.UTF-8"                 },                 {                     "name": "LC_ALL",                     "value": "en_US.UTF-8"                 },                 {                     "name": "JAVA_TOOL_OPTIONS",                     "value": "-Dfile.encoding=UTF-8 -Dsun.jnu.encoding=UTF-8"                 }             ],             "mountPoints": [                 {                     "sourceVolume": "app-config",                     "containerPath": "/opt/snaplogic/etc/",                     "readOnly": false                 },                 {                     "sourceVolume": "tmp-volume",                     "containerPath": "/tmp",                     "readOnly": false                 }             ],             "volumesFrom": [],             "logConfiguration": {                 "logDriver": "awslogs",                 "options": {                     "awslogs-group": "/ecs/loggroup-name",                     "awslogs-create-group": "true",                     "awslogs-region": "us-west-2",                     "awslogs-stream-prefix": "ecs"                 }             },             "systemControls": []         }     ],     "family": "test-ecs",     "taskRoleArn": "arn:aws:iam::123456789012:role/ecsTaskExecutionRole",     "executionRoleArn": "arn:aws:iam::123456789012:role/ecsTaskExecutionRole",     "networkMode": "awsvpc",     "revision": 1,     "volumes": [         {             "name": "app-config",             "host": {}         },         {             "name": "tmp-volume",             "host": {}         }     ],     "status": "ACTIVE",     "requiresAttributes": [         {             "name": "com.amazonaws.ecs.capability.logging-driver.awslogs"         },         {             "name": "ecs.capability.execution-role-awslogs"         },         {             "name": "com.amazonaws.ecs.capability.ecr-auth"         },         {             "name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"         },         {             "name": "com.amazonaws.ecs.capability.docker-remote-api.1.21"         },         {             "name": "com.amazonaws.ecs.capability.task-iam-role"         },         {             "name": "ecs.capability.execution-role-ecr-pull"         },         {             "name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"         },         {             "name": "ecs.capability.task-eni"         },         {             "name": "com.amazonaws.ecs.capability.docker-remote-api.1.29"         }     ],     "placementConstraints": [],     "compatibilities": [         "EC2",         "FARGATE"     ],     "requiresCompatibilities": [         "EC2",         "FARGATE"     ],     "cpu": "2048",     "memory": "8192",     "runtimePlatform": {         "cpuArchitecture": "X86_64",         "operatingSystemFamily": "LINUX"     },     "registeredAt": "2025-01-10T11:03:11.429Z",     "registeredBy": "arn:aws:iam::123456789012:assumed-role/aws-reserved-sso_3mk8fa2kc89w1/john.doe@example.com",     "enableFaultInjection": false,     "tags": [] }

 

Add AWS IAM policy that grants permissions for an ECS task

  1. Log in to the AWS console. Open the IAM console, navigate to Access Management > Roles, and click the Create role button.

  2. Select the AWS service as the Trusted entity type.

  3. Select the Elastic Container Service Task as the Use case, and click Next.

  4. In the Add permissions policies page, click Create Policy.

  5. Create the following ECS Task Execution Role Policy and attach it to the IAM role:

{     "Version": "2012-10-17",     "Statement": [         {             "Effect": "Allow",             "Action": [                 "ecr:GetAuthorizationToken",                 "ecr:BatchCheckLayerAvailability",                 "ecr:GetDownloadUrlForLayer",                 "ecr:DescribeImages",                 "ecr:ListImages",                 "ecr:BatchGetImage"             ],             "Resource": "*"         },         {             "Effect": "Allow",             "Action": [                 "logs:CreateLogStream",                 "logs:PutLogEvents"             ],             "Resource": "*"         },         {             "Effect": "Allow",             "Action": [                 "s3:GetObject",                 "s3:PutObject",                 "s3:ListBucket"             ],             "Resource": [                 "arn:aws:s3:::your-bucket-name",                 "arn:aws:s3:::your-bucket-name/*"             ]         }     ] }

  1. Add the ECR, ECS, and S3 policies.

Have feedback? Email documentation@snaplogic.com | Ask a question in the SnapLogic Community
© 2017-2025 SnapLogic, Inc.