Create required AWS IAM Roles

Check and create IAM roles, if it doesn’t exist (in case, you have created for your earlier excercies, skip creating it again).

  1. Task Execution Role: The Amazon ECS container agent make calls to the Amazon ECS API on your behalf, so it requires an IAM policy and role for the service to know that the agent belongs to you. This IAM role is referred to as a task execution IAM role.

    To create the ecsTaskExecutionRole IAM role

    1. Open the IAM console
    2. In the navigation pane, choose Roles, Create role.
    3. In the Select type of trusted entity section, choose Elastic Container Service.
    4. For Select your use case, choose Elastic Container Service Task, then choose Next: Permissions.
    5. In the Attach permissions policy section, search for AmazonECSTaskExecutionRolePolicy, select the policy, and then choose Next: Review.
    6. For Role Name, type ecsTaskExecutionRole and choose Create role.
    7. Please make a note of the Role ARN to use in later section of the workshop.
  2. ECS Instance Role: This IAM role is required for the EC2 launch type. The Amazon ECS container agent makes calls to the Amazon ECS API on your behalf. Container instances that run the agent require an IAM policy and role for the service to know that the agent belongs to you.

    To create the ecsInstanceRole IAM role

    1. Open the IAM console
    2. In the navigation pane, choose Roles, Create role.
    3. Choose the AWS service role type, and then choose Elastic Container Service.
    4. Choose the EC2 Role for Elastic Container Service use case and then Next: Permissions.
    5. In the Attached permissions policy section, select AmazonEC2ContainerServiceforEC2Role and then choose Next: Review.
    6. For Role Name, type ecsInstanceRole and choose Create role.
  3. ECS CodeDeploy Role: Before you can use the CodeDeploy blue/green deployment type with Amazon ECS, the CodeDeploy service needs permissions to update your Amazon ECS service on your behalf. These permissions are provided by the CodeDeploy IAM role.

    To create the ecsCodeDeployRole IAM role

    1. Open the IAM console
    2. In the navigation pane, choose Roles, Create role.
    3. Choose the AWS service role type, and then choose CodeDeploy.
    4. Choose the CodeDeploy use case and then Next: Permissions.
    5. For Role Name, type ecsCodeDeployRole and choose Create role.
    6. Open ‘ecsCodeDeployRole` role again from IAM console, to add the required additional permissions.
    7. Choose Attach policies.
    8. To narrow the available policies to attach, for Filter, type AWSCodeDeployRoleForECS
    9. Check the box to the left of the AWS managed policy and choose Attach policy and Update.
  4. Service Linked Role for Amazon ECS: Amazon ECS uses the service-linked role named AWSServiceRoleForECS to enable Amazon ECS to call AWS APIs on your behalf. The AWSServiceRoleForECS service-linked role trusts the ecs.amazonaws.com service principal to assume the role. Under most circumstances, this role should already exist, if not

    To create a service-linked role (CLI)

    aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com
    
  5. Service Linked Role for Amazone EC2 Auto Scaling: Amazon EC2 Auto Scaling uses service-linked roles for the permissions that it requires to call other AWS services on your behalf. Amazon EC2 Auto Scaling uses the AWSServiceRoleForAutoScaling service-linked role. Under most circumstances, this role should already exist, if not

    To create a service-linked role (CLI)

    aws iam create-service-linked-role --aws-service-name autoscaling.amazonaws.com