1. Answers
  2. Assigning IAM Role to ECS Task for RDS Connectivity in AWS

How Do I Grant an IAM Role to an ECS Task for RDS Database Connection in AWS?

Introduction

Connecting an ECS task to an RDS database securely requires assigning the appropriate IAM role to the ECS task. This process ensures that the ECS task has the necessary permissions to interact with the RDS instance without embedding credentials directly in the application code. In this guide, we will walk through the steps to create and assign an IAM role to an ECS task for RDS connectivity.

Step-by-Step Explanation

  1. Create an IAM Role:

    • Begin by creating an IAM role that the ECS task will assume. This role will grant the ECS task the necessary permissions to interact with AWS services.

  2. Attach Policies to the Role:

    • Attach the Amazon RDS IAM policy to the role. This policy includes permissions required to connect to the RDS instance, such as rds:DescribeDBInstances and rds:Connect.

  3. Modify ECS Task Definition:

    • Update the ECS Task Definition to use the created IAM role. This involves specifying the role’s ARN in the task definition so that the ECS task can assume it during execution.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const ecsTaskExecutionRole = new aws.iam.Role("ecs_task_execution_role", {
    name: "ecs_task_execution_role",
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Principal: {
                Service: "ecs-tasks.amazonaws.com",
            },
            Action: "sts:AssumeRole",
        }],
    }),
});
const ecsTaskExecutionPolicy = new aws.iam.PolicyAttachment("ecs_task_execution_policy", {
    name: "ecs_task_execution_policy",
    roles: [ecsTaskExecutionRole.name],
    policyArn: "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
});
const rdsAccessPolicy = new aws.iam.Policy("rds_access_policy", {
    name: "rds_access_policy",
    policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Action: [
                "rds:DescribeDBInstances",
                "rds:Connect",
            ],
            Resource: "*",
        }],
    }),
});
const ecsTaskRdsPolicyAttachment = new aws.iam.RolePolicyAttachment("ecs_task_rds_policy_attachment", {
    role: ecsTaskExecutionRole.name,
    policyArn: rdsAccessPolicy.arn,
});
const example = new aws.ecs.TaskDefinition("example", {
    family: "example",
    containerDefinitions: JSON.stringify([{
        name: "example",
        image: "your-docker-image",
        essential: true,
        environment: [{
            name: "RDS_HOST",
            value: "your-rds-database.endpoint",
        }],
    }]),
    executionRoleArn: ecsTaskExecutionRole.arn,
    taskRoleArn: ecsTaskExecutionRole.arn,
    networkMode: "awsvpc",
    requiresCompatibilities: ["FARGATE"],
    cpu: "256",
    memory: "512",
});
export const ecsTaskExecutionRoleArn = ecsTaskExecutionRole.arn;
export const ecsTaskDefinitionFamily = example.family;

Key Points

  • IAM Role Creation: Necessary for granting permissions to ECS tasks.
  • Policy Attachment: Ensures the ECS task can perform actions on the RDS instance.
  • ECS Task Definition Update: Associates the IAM role with the ECS task.

Conclusion

By following these steps, you have successfully assigned an IAM role to an ECS task, enabling it to securely connect to an RDS database. This method enhances security by managing permissions through IAM roles rather than hardcoding credentials.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up