Is it possible to use IAM roles for ECS tasks in an Elastic Beanstalk application?

Question

I maintain a project running on Elastic Beanstalk on the Multicontainer Docker platform. To securely access the SSM Parameter Store I would like to give specific containers access to specific IAM roles. To minimize unneeded privileges some containers shouldn't have access to these roles at all.

In this configuration Elastic Beanstalk uses the EC2 Container Service for deployment. ECS offers the possibility to specify IAM roles for Tasks in Task Definitions (via the taskRoleArn parameter).

I would like to use this ECS feature in EB. Is there a way to customize (or replace) the Task Definitions EB generates? I think it might be possible using a .ebextensions configuration file to customize environment resources but haven't had luck so far.

score 1 · Accepted Answer · answered Nov 14 '17 at 00:06

According to AWS support this isn't possible at the moment. They raised a feature request though. So it might be possible to set the taskRoleArn parameter in the Dockerrun.aws.json file in the future.

Also, using the Multicontainer Docker platform it's not possible to create or override ECS Task Definitions by using an .ebextensions configuration file.

Is it possible to use IAM roles for ECS tasks in an Elastic Beanstalk application?

1 Answers1