I maintain a project running on Elastic Beanstalk on the Multicontainer Docker platform. To securely access the SSM Parameter Store I would like to give specific containers access to specific IAM roles. To minimize unneeded privileges some containers shouldn't have access to these roles at all.
In this configuration Elastic Beanstalk uses the EC2 Container Service for deployment. ECS offers the possibility to specify IAM roles for Tasks in Task Definitions (via the taskRoleArn
parameter).
I would like to use this ECS feature in EB. Is there a way to customize (or replace) the Task Definitions EB generates? I think it might be possible using a .ebextensions configuration file to customize environment resources but haven't had luck so far.