6

I am writing an AWS Lambda function to trigger an ECS Fargate task. I am following the example provided at Run tasks with AWS Fargate and Lambda. While my setup works, there is one of the parts involving IAM roles that I do not understand.

One of the steps is to create an ECS task. I create that task with its "Task execution IAM role" left at ecsTaskExecutionRole. According to the info on the ECS task setup page, the "Task execution IAM role" is

The role that authorizes Amazon ECS to pull private images and publish logs for your task. This takes the place of the EC2 Instance role when running tasks.

Next, I create the Lambda function. Part of that Lambda function setup is the creation of another IAM role because, according to the "Run tasks with AWS Fargate and Lambda" page,

The Lambda would need IAM role with 2 policies - one to run the task, and second to pass the ecsTaskExecutionRole to the task.

The role looks like this (I have compressed the white-space to save space):

{   "Version": "2012-10-17",
    "Statement": [
        {   "Sid": "Stmt1512361420000",
            "Effect": "Allow",
            "Action": [
                "ecs:RunTask"
                 ],
            "Resource": [ "*" ]
        },
        {   "Sid": "Stmt1512361593000",
            "Effect": "Allow",
            "Action": [ "iam:PassRole" ],
            "Resource": [ "arn:aws:iam::************:role/ecsTaskExecutionRole" ]
        }
    ]
}

What I don't understand is why the Lambda function has to have this iam:PassRole permission. Why does the Lambda function have to "pass the ecsTaskExecutionRole to the task"? Doesn't the ECS task get that role assigned automatically when it runs due to the fact that I set "Task execution IAM role" to ecsTaskExecutionRole? If not, then what is the point of the "Task execution IAM role" setting?

user35042
  • 2,601
  • 10
  • 32
  • 57

1 Answers1

1

To quote AWS documentation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html):

To configure many AWS services, you must pass an IAM role to the service. This allows the service to later assume the role and perform actions on your behalf. You only have to pass the role to the service once during set-up, and not every time that the service assumes the role. For example, assume that you have an application running on an Amazon EC2 instance. That application requires temporary credentials for authentication, and permissions to authorize the application to perform actions in AWS. When you set up the application, you must pass a role to EC2 to use with the instance that provides those credentials. You define the permissions for the applications running on the instance by attaching an IAM policy to the role. The application assumes the role every time it needs to perform the actions that are allowed by the role.

The ecsTaskExecutionRole parameter defines IAM permissions that you want to give to the Fargate task. In most case users will just use the AWS managed role "role/ecsTaskExecutionRole" which allows downloading of any image from ECR.

But imagine you had a different policy that only allowed downloading of a specific image.

Your administrator only wants you to be able to use that policy so he uses the iam:PassRole privilege in your Lambda to say you are only able to pass that role. Now he has prevented you from using any other IAM role that could have given you access to more ECR images.

In summary, without PassRole permission you'd be able to specify whatever you wanted as the ecsTaskExecutionRole to perhaps give you access to more than the administrator wants to.

wimnat
  • 299
  • 2
  • 10