Skip to content

Execution and Task Roles

ECS task definitions reference two IAM roles by name:

  • execution_role_name: used by the ECS agent for pulls/logs (e.g., ECR, CloudWatch Logs, SSM fetches).
  • task_role_name: assumed by your containers to access AWS APIs (e.g., SSM Parameter Store).

How it wires together:

  • Define role documents and policies in tfvars (policy_documents and iampolicies).
  • Define roles in iamroles and reference policy document keys via assume_role_policy.
  • Reference the role names from task_definitions (execution_role_name, task_role_name).

Assume-role policy for ECS tasks (policy_documents): 

policy_documents = {
  ecs_task = {
    statement = [{
      sid     = "ECSTasksAssumeRole"
      effect  = "Allow"
      principals = {
        type        = "Service"
        identifiers = ["ecs-tasks.amazonaws.com"]
      }
      actions  = ["sts:AssumeRole"]
      resources = ["*"]
    }]
  }
}

Example policies (iampolicies) referenced by roles: 

iampolicies = {
  SSMReadParameters = {
    # points at a policy_document key defined elsewhere, e.g., "ssm_read"
    policy = "ssm_read"
  }
}

Define IAM roles (iamroles): 

iamroles = {
  ecsTaskExecutionRole = {
    # include the AWS managed policy and any custom policies you need
    policies = [
      "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
      "SSMReadParameters"
    ]
    assume_role_policy = "ecs_task"
  }

  ecsTaskRole = {
    policies = ["SSMReadParameters"]
    assume_role_policy = "ecs_task"
  }
}