Carter Kwon

02/03/2021, 10:04 PM
Hello, I plan on running my flows using ECS and I’d like to have a separate IAM role for each task so it can have the minimum required access. I plan on using Terraform to provision the required AWS resources. I’d like to keep the task’s IAM related code coupled with the flow code so it can be used easily with our CI/CD pipeline. Does anyone have any ideas on how to best achieve this? It would be great if you could define the permissions needed in the task definition so it could be added in the flow code using ECSRun, but I don’t believe that is possible. It sounds like the only option is providing the arn of an existing role. Thanks!

Mariia Kerimova

02/03/2021, 10:29 PM
Hello Carter! Currently there is no way to dynamically set permissions in ECSRun. The setup assumes that you have already roles created in your infrastructure. I hope community will share workarounds, also you are welcome to open an issue.
👍 1

Billy McMonagle

02/03/2021, 10:52 PM
@Carter Kwon perhaps you could publish the IAM ARN during build (eg as an SSM parameter) and reference that parameter to attach the role to the ECSRun config? I'm doing something similar with KubernetesRun config, although I'm not creating IAM roles for individual flows.
Perhaps you'd also be interested in this discussion on github

Carter Kwon

02/03/2021, 11:19 PM
Thank you both for the responses. @Billy McMonagle that's similar to what I was thinking. It may be the best approach for now. Also, thanks for sharing that discussion. There's already some great information on there, and I'm looking forward to it growing.
🚀 1