Difference between AWS Elastic Container Service's (ECS) ExecutionRole and TaskRole

amazon-web-services amazon-ecs amazon-iam

Referring to the documentation you can see that the execution role is the IAM role that executes ECS actions such as pulling the image and storing the application logs in cloudwatch.

The TaskRole then, is the IAM role used by the task itself. For example, if your container wants to call other AWS services like S3, SQS, etc then those permissions would need to be covered by the TaskRole.

Using a TaskRole is functionally the same as using access keys in a config file on the container instance. Using access keys in this way is not secure and is considered very bad practice. I include this in the answer because many people reading this already understand access keys.


ECS task execution role is capabilities of ECS agent (and container instance), e.g:

  • Pulling a container image from Amazon ECR
  • Using the awslogs log driver

ECS task role is specific capabilities within the task itself, e.g:

  • When your actual code runs

Related

Is dp the same as dip? [duplicate]
npm: Why is a version "0.1" invalid?
How can a WPF UserControl inherit a WPF UserControl?
Idiomatic way to wait for multiple callbacks in Node.js
What's the foolproof way to tell which version(s) of .NET are installed on a production Windows Server?
MySQL IN condition limit
How do I check for an empty slice?
Upload files and JSON in ASP.NET Core Web API
Which dialect of Lisp should I learn? [closed]
What is an exclamation point in GraphQL?
WCF chokes on properties with no "set ". Any workaround?
is node.js' console.log asynchronous?