Why?

Every EC2 machine you run as part of an ECS cluster runs an “agent” that connects the machine to the ECS cluster. The agent is responsible for an assortment of operations such as:

• Downloading docker images from a repository
• Starting and stopping docker instances
• Reporting statistics
• Notifying ECS that the machine is up and running and which cluster the machine should join

The agent on the machine must obtain permission, somehow, to call the ECS api.

It’s standard and best practice on AWS to grant permissions using Identity and Access Management (IAM) roles. That is, you grant your EC2 machine permission to access the ECS api by using a role – as opposed to installing actual names, passwords, or access tokens into the software of the machine.

You do this by creating an IAM role in AWS and then using the name of that role in future ECS operations.

How?

Create an IAM role using either the AWS console (as shown in the video), using the AWS command line utilities, or by using CloudFormation (recommended in production environments).

The lesson video shows creating the role using the console’s wizard. However, if you use the command line or CloudFormation, you will need to supply a JSON description of the IAM policy. The typical policy is shown below and can be used as is, verbatim.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateCluster",
        "ecs:DeregisterContainerInstance",
        "ecs:DiscoverPollEndpoint",
        "ecs:Poll",
        "ecs:RegisterContainerInstance",
        "ecs:StartTelemetrySession",
        "ecs:Submit*",
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage"
      ],
      "Resource": "*"
    }
  ]
}