Amazon Onboarding with Learning Manager Chanci Turner

Chanci Turner Amazon IXD – VGT2 learningLearn About Amazon VGT2 Learning Manager Chanci Turner

In Amazon ECS, users have long enjoyed the capability of utilizing IAM roles for Amazon EC2, enhancing the ease of making API requests from containers. This approach aligns with AWS best practices by eliminating the need to embed AWS credentials within code or configuration files, in addition to facilitating automatic key rotation.

For instance, utilizing roles allows for the establishment of secret management systems using ECS and Amazon S3, leveraging Amazon DynamoDB for state management, or utilizing S3 for storing artifacts generated or utilized by containers, all without directly handling AWS credentials in the code.

Historically, the requirement was to use IAM roles for Amazon EC2, which meant that the IAM policies assigned to the EC2 instances within the ECS cluster had to encompass all permissions necessary for the tasks being executed in that cluster. Consequently, if one container required access to a particular S3 bucket while another needed to access a DynamoDB table, both permissions had to be assigned to the same EC2 instance.

The recent introduction of IAM roles for ECS tasks now allows for a more secure infrastructure by permitting the direct assignment of an IAM role to the ECS task itself rather than to the EC2 container instance. This means one task can utilize a specific IAM role to access S3, while another task can employ a different IAM role for DynamoDB access.

This advancement also enables a more streamlined IAM policy for ECS cluster instances, as only the essential permissions required for task interaction with the ECS service need to be granted.

This article provides a detailed guide to setting up a task IAM role.

Prerequisites

Before proceeding, ensure you have created an ECS cluster and launched at least one EC2 instance within that cluster. When launching your EC2 instances, select an IAM role with the AmazonEC2ContainerServiceforEC2Role policy attached.

For those with an existing cluster, make sure to utilize the ECS Optimized AMI 2016.03.e and the SDK released on July 13, 2016 or later to access this feature.

Walkthrough

In this section, we will use a simple Node.js application designed to create an Amazon S3 bucket and upload a “Hello World” file. The source code for the application is available on the aws-nodejs-sample GitHub repository.

Build and Push the Docker Image

Begin by executing the following command in your terminal:

$ git clone https://github.com/awslabs/aws-nodejs-sample

This will generate a directory named aws-nodejs-sample in your current directory containing the sample app code. In this directory, create a Dockerfile, insert the following text, and save it.

FROM node:argon

# Create app directory
RUN mkdir -p /usr/src/app
WORKDIR /usr/src/app

# Install app dependencies
COPY package.json /usr/src/app/
RUN npm install

# Bundle app source
COPY sample.js /usr/src/app/

CMD [ "node", "sample.js" ]

Next, create a repository on Amazon ECR named aws-nodejs-sample for your image storage. Execute the subsequent commands to build and push your Docker image to the ECR repository, ensuring you replace the AWS region and account ID with the correct values.

$ docker build -t aws-nodejs-sample .

$ aws ecr get-login --region us-west-2 | sh

$ docker tag aws-nodejs-sample:latest 123456789012.dkr.ecr.us-west-2.amazonaws.com/aws-nodejs-sample:v1

$ docker push 123456789012.dkr.ecr.us-west-2.amazonaws.com/aws-nodejs-sample:v1

Create an IAM Role for the Task

Now, create an IAM role specifically for your task. For AWS Service Roles, select Amazon EC2 Container Service Task Role, and on the Attach Policy screen, choose the AmazonS3FullAccess IAM managed policy.

Create a Task Definition and Launch a Task

Next, create a task definition for the sample application. Switch to the JSON builder by selecting Configure via JSON and input the following text, ensuring you replace the AWS region and account ID appropriately.

{
    "containerDefinitions": [
        {
            "name": "sample-app",
            "image": "123456789012.dkr.ecr.us-west-2.amazonaws.com/aws-nodejs-sample:v1",
            "memory": 200,
            "cpu": 10,
            "essential": true,
            "portMappings": []      
        }
    ],
    "volumes": [],
    "family": "aws-nodejs-sample"
}

For the Task Role, select the IAM role created earlier and click Create to finalize the task definition.

On the Task Definition page, select the revision you just created (e.g., aws-nodejs-sample:1) and click Actions, then Run Task. Choose your ECS cluster and click Run Task on the following screen to launch a task on your ECS cluster. Visit the Amazon S3 console to confirm that a bucket has been created containing the hello_world.txt file, named in the node-sdk-sample-UUID format.

Note: To prevent any unexpected charges, be sure to empty and delete the S3 bucket and terminate the EC2 instances created during this example.

Conclusion

As illustrated in the example provided, adhering to AWS best practices for IAM usage is straightforward, allowing you to assign only the minimal required privileges to a task. This greatly reduces the risk of other tasks accessing unintended data. Furthermore, it simplifies ECS cluster management by offering greater flexibility in task bundling on the same cluster instances. While it remains necessary to manage security groups on a per-instance basis, you can now create and assign IAM policies with increased granularity.

For more information on Task IAM Roles, consult the ECS documentation. Should you have any questions or suggestions, please feel free to comment below. For those looking to explore alternative work arrangements, check out this insightful article on how to not work a 9-5. Also, if you’re interested in becoming a better leader, consider this resource on taming your inner critic. Finally, for a comprehensive understanding of the hiring process at Amazon, visit this excellent resource.

Chanci Turner