← Week 3: Container Orchestration

Day 20: IAM for Container Tasks

Phase 5 · Aug 31, 2026

← Week 3: Container Orchestration

Agenda (2–3 hours)

  • Read (45 min): ECS task IAM roles documentation; EKS IRSA (IAM Roles for Service Accounts) documentation; IMDSv2 token-based access
  • Study (45 min): What is the difference between the task execution role and the task role? When would a container need each?
  • Practice (45 min): Create a task role with least-privilege access to DynamoDB and SQS; verify the container can call both services without hardcoded credentials
  • Challenge (30 min): A container calling GetCallerIdentity returns the task role ARN. Explain the credential chain: from IMDSv2 to the AWS SDK call
← Week 3: Container Orchestration

Task Role vs Execution Role

Role Who assumes it Purpose
Task execution role ECS agent (on the host) Pull ECR images, write CloudWatch logs, read Secrets Manager
Task role The application container Call DynamoDB, SQS, S3, etc. from application code

Common mistake: giving the task role ecr:* (the execution role handles that).
Least privilege: the task role should only contain what the application actually calls.

← Week 3: Container Orchestration

ECS Credential Chain

IMDSv2 (Instance Metadata Service v2) — token-based:

Container SDK (aws-sdk-rust)
  → ECS credential endpoint: 169.254.170.2/v2/credentials/{id}
  → ECS agent
  → STS AssumeRole (task role)
  → Returns temporary credentials (AccessKey, SecretKey, SessionToken, Expiry)

The SDK refreshes credentials automatically ~5 minutes before expiry.
No credential files, no environment variables required.

← Week 3: Container Orchestration

IRSA for EKS

IAM Roles for Service Accounts — pod-level role binding:

Pod (ServiceAccount: my-svc-account)
  → Service account token (projected volume, audience: sts.amazonaws.com)
  → STS AssumeRoleWithWebIdentity
  → Task role with condition:
    StringEquals:
      "sts:ExternalId": "system:serviceaccount:my-ns:my-svc-account"

eksctl create iamserviceaccount \
  --name my-svc-account \
  --namespace my-ns \
  --cluster my-cluster \
  --attach-policy-arn arn:aws:iam::123:policy/MyAppPolicy \
  --approve
← Week 3: Container Orchestration

Key Takeaways

  • Task execution role = ECS agent's role (ECR, CloudWatch, Secrets Manager)
  • Task role = application's role (DynamoDB, SQS, S3 — only what the app calls)
  • ECS credential delivery via IMDSv2 endpoint; SDK refreshes transparently
  • IRSA scopes IAM roles to individual Kubernetes service accounts, not the whole node

Tomorrow: Phase 5 Week 3 Challenge — deploy a gRPC service to ECS with Cloud Map service discovery.