Difference between AWS Elastic Container Service's (ECS) ExecutionRole and TaskRole

Referring to the documentation you can see that the execution role is the IAM role that executes ECS actions such as pulling the image and storing the application logs in cloudwatch.

The TaskRole then, is the IAM role used by the task itself. For example, if your container wants to call other AWS services like S3, SQS, etc then those permissions would need to be covered by the TaskRole.

Using a TaskRole is functionally the same as using access keys in a config file on the container instance. Using access keys in this way is not secure and is considered very bad practice. I include this in the answer because many people reading this already understand access keys.


ECS task execution role is capabilities of ECS agent (and container instance), e.g:

  • Pulling a container image from Amazon ECR
  • Using the awslogs log driver

ECS task role is specific capabilities within the task itself, e.g:

  • When your actual code runs