I am writing an AWS Lambda function to trigger an ECS Fargate task. I am following the example provided at Run tasks with AWS Fargate and Lambda. While my setup works, there is one of the parts involving IAM roles that I do not understand.
One of the steps is to create an ECS task. I create that task with its "Task execution IAM role" left at ecsTaskExecutionRole
. According to the info on the ECS task setup page, the "Task execution IAM role" is
The role that authorizes Amazon ECS to pull private images and publish logs for your task. This takes the place of the EC2 Instance role when running tasks.
Next, I create the Lambda function. Part of that Lambda function setup is the creation of another IAM role because, according to the "Run tasks with AWS Fargate and Lambda" page,
The Lambda would need IAM role with 2 policies - one to run the task, and second to pass the ecsTaskExecutionRole to the task.
The role looks like this (I have compressed the white-space to save space):
{ "Version": "2012-10-17",
"Statement": [
{ "Sid": "Stmt1512361420000",
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"Resource": [ "*" ]
},
{ "Sid": "Stmt1512361593000",
"Effect": "Allow",
"Action": [ "iam:PassRole" ],
"Resource": [ "arn:aws:iam::************:role/ecsTaskExecutionRole" ]
}
]
}
What I don't understand is why the Lambda function has to have this iam:PassRole
permission. Why does the Lambda function have to "pass the ecsTaskExecutionRole to the task"? Doesn't the ECS task get that role assigned automatically when it runs due to the fact that I set "Task execution IAM role" to ecsTaskExecutionRole
? If not, then what is the point of the "Task execution IAM role" setting?
To quote AWS documentation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html):
The
ecsTaskExecutionRole
parameter defines IAM permissions that you want to give to the Fargate task. In most case users will just use the AWS managed role "role/ecsTaskExecutionRole" which allows downloading of any image from ECR.But imagine you had a different policy that only allowed downloading of a specific image.
Your administrator only wants you to be able to use that policy so he uses the iam:PassRole privilege in your Lambda to say you are only able to pass that role. Now he has prevented you from using any other IAM role that could have given you access to more ECR images.
In summary, without PassRole permission you'd be able to specify whatever you wanted as the ecsTaskExecutionRole to perhaps give you access to more than the administrator wants to.