IAM Policy for ECS Task Execution Role
Create an IAM policy for ECS task execution with permissions for ECR image pulling, CloudWatch Logs writing, and Secrets Manager access.
Detailed Explanation
ECS Task Execution Role Policy
When running containers in ECS (Fargate or EC2), the task execution role is used by the ECS agent to pull container images from ECR, push logs to CloudWatch, and optionally retrieve secrets. This is separate from the task role (which your application code uses).
Policy JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowECRPull",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Resource": "*"
},
{
"Sid": "AllowCloudWatchLogs",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:CreateLogGroup"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Sid": "AllowSecretsAccess",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-app/*"
}
]
}
Three Statements Explained
- ECR Pull —
GetAuthorizationTokenmust useResource: "*"(it's an account-level action). The other ECR actions could be scoped to specific repositories, but"*"is common for execution roles. - CloudWatch Logs — allows the ECS agent to create log streams and push container stdout/stderr logs. The resource can be scoped to specific log group ARNs.
- Secrets Manager — optional, needed only if your task definition references secrets in the
secretssection. Scope to the specific secrets your application needs.
AWS Managed Alternative
AWS provides AmazonECSTaskExecutionRolePolicy (managed policy), but creating a custom policy lets you scope secrets access and add KMS permissions for encrypted secrets.
Use Case
Running containerized applications on ECS Fargate or EC2 that need to pull images from private ECR repositories, stream logs to CloudWatch, and inject secrets from Secrets Manager into containers.