134

I'm using AWS's CloudFormation, and I recently spent quite a bit of time trying to figure out why the role I had created and attached policies to was not enabling my ECS task to send a message to a Simple Queue Service (SQS) queue.

I realized that I was incorrectly attaching the SQS permissions policy to the Execution Role when I should have been attaching the policy to the Task Role. I cannot find good documentation that explains the difference between the two roles. CloudFormation documentation for the two of them are here: ExecutionRole and TaskRole

BMW
  • 42,880
  • 12
  • 99
  • 116
johnklawlor
  • 1,708
  • 2
  • 13
  • 15

3 Answers3

158

Referring to the documentation you can see that the execution role is the IAM role that executes ECS actions such as pulling the image and storing the application logs in cloudwatch.

The TaskRole then, is the IAM role used by the task itself. For example, if your container wants to call other AWS services like S3, SQS, etc then those permissions would need to be covered by the TaskRole.

Using a TaskRole is functionally the same as using access keys in a config file on the container instance. Using access keys in this way is not secure and is considered very bad practice. I include this in the answer because many people reading this already understand access keys.

krethika
  • 3,908
  • 1
  • 24
  • 27
  • 10
    Anyway best practice is using attached IAM role rather locally stored access keys. – Chamin Wickramarathna Jul 10 '19 at 09:14
  • 2
    There are also [Container Instance Roles](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html). The important thing to note is that your containers will automatically be able to use these roles as well. So best practice is to have the Container instance Roles at minimum, and extend it (if needed) by task roles. – Marcin Feb 03 '20 at 04:29
  • What is the best practice, should task role and task execution role be the same role or two different roles? – thnee Feb 24 '21 at 12:40
  • This is a good primer on the described differences https://www.youtube.com/watch?v=nKhtSmYRfxs – lony Jul 28 '21 at 15:25
35

ECS task execution role is capabilities of ECS agent (and container instance), e.g:

  • Pulling a container image from Amazon ECR
  • Using the awslogs log driver

ECS task role is specific capabilities within the task itself, e.g:

  • When your actual code runs
Kamol Mavlonov
  • 365
  • 3
  • 9
0

The Execution Role is for the ECS service. The Task Role is for the task.

Archmede
  • 1,592
  • 2
  • 20
  • 37
alibabaei12
  • 161
  • 1
  • 2
  • 9