Skip to content

AWS IAM roles

To use your agent in AWS, two IAM roles may need to be configured to ensure the component parts of an agent installation have required access.

AWS ECS Fargate

The two required roles are:

  • Task role
  • Task execution role

Task role

This is the role that a running instance of an agent will use. Use an IAM role that has similar permissions to a Matillion Data Productivity Cloud role. If you're using the same IAM role, you might need to add ecs-tasks.amazonaws.com to the Service section in the Trust Relationship section of your IAM role to allow the role to work with the ECS service. An example trusted entity is as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "ecs-tasks.amazonaws.com",
                    "ec2.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Task execution role

This role grants the ECS container and Fargate agents permission to make AWS API calls. If you don't have an existing ECS task execution role, you will get the option to create one when creating a task definition.

In order for the agent credentials to be accessed when they are stored in AWS Secrets Manager, the ECS task execution role will need to be given permission to AWS Secrets Manager.

To make this addition:

  1. Navigate to Roles in the AWS management console, and locate your ECS task execution role. If you don't yet have this IAM role, this will be created after you have selected Create new role when creating your task definition. You may need to come back to this step when this is complete.
  2. Go to Add permissions and select Create inline policy

  3. Choose the JSON tab, and replace the JSON displayed there with the block below, substituting your secret ARNs.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": [
                "arn:aws:secretsmanager:eu-west-1:<your-aws-account>:secret:your-secret-arn-1>",
                "arn:aws:secretsmanager:eu-west-1:<your-aws-account>:secret:<your-secret-arn-2>"

            ]
        }
    ]
}

    For every set of credentials you store for an agent in a different Secret entry, you will need add the ARN of that secret here. Alternatively, you can give access to all secrets by specifying the alternative:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "*"
        }
    ]
}

  4. Click Review policy to check the results.

  5. Give your inline policy a name.
  6. Click on Create policy to complete the creation and have it added to your role.
© Copyright 2024 Matillion Ltd | Legal | Privacy Policy | Disclaimer | Modern Slavery Statement