- Task role: The task role defines the permissions that the application has. For example, if your pipeline needs to access other AWS services such S3 or Redshift, you would define these permissions in the task role.
- Task execution role: The task execution role is associated with the ECS container instances and grants permission to the ECS service to make API calls on your behalf. For the application, the task execution role needs permissions to start and manage tasks, pull images, and inject secrets, and permissions should be limited to only these operations.
Task role
This is the role that allows your agent instance to use other AWS services, such as Amazon S3. The policy shown here corresponds to the trust relationship required to allow the task role to be assumed by the running tasks and containers. This is a required configuration. You will need the following trusted entity:- Allows
secretsmanager:ListSecretsfor all secrets. - Allows
secretsmanager:GetSecretValueonly for specific secret ARNs.
<region> and <account-id> values should be replaced with the appropriate values for your AWS account. The <secret-id> is the name of the secret in Secrets Manager. You can add as many individual secrets as you need.
For
secretsmanager:GetSecretValue, we strongly suggest you follow the principle of least privilege and limit the scope of the policy to only the secrets that are required for your agent, using named secrets as shown in the example above. However, secretsmanager:ListSecrets needs "Resource": "*" because it’s a list-type action and not tied to individual ARNs.s3:ListBucket, s3:GetObject, and s3:PutObject. These should be scoped to specific staging buckets, again following the principle of least privilege.
The above role should be considered a baseline, and does not include other pipeline integrations with specific databases or services. Any such integrations will require their own additional permissions in the task role.
Task execution role
The task execution role grants the ECS Fargate tasks permission to make AWS API calls. If you don’t have an existing ECS task execution role, you should create one by selecting Create new role when creating a task definition. For the agent credentials to be accessed when they are stored in AWS Secrets Manager, the ECS task execution role will need to be given permission to AWS Secrets Manager.The task execution role’s purpose here is to allow the container to retrieve Matillion’s platform credentials so it can establish the connection to the Matillion agent gateway. For managing ‘s secret definitions, cloud credentials, and OAuths, the permissions for those actions must be assigned to the task role.
- Navigate to Roles in the AWS console, and locate your ECS task execution role.
- Go to Add permissions and select Create inline policy
-
Choose the JSON tab, and replace the JSON displayed there with the following, substituting your secret ARNs in the
<resource-scope>:If secrets will use customer-managed KMS keys (CMKs), you require thekms:Decryptpermission in addition to thesecretsmanager:GetSecretValuepermission, so you will need this policy instead:The<resource-scope>value can be a specific secret ARN, or the wildcard ARN*. We strongly suggest you follow the principle of least privilege and limit the scope of the policy to only the secrets that are required for your agent:or, to specify multiple secrets:Where the<region>and<account-id>values should be replaced with the appropriate values for your AWS account. The<key-id>is the KMS key ID or ARN. You can add as many individual secrets as you need.Using a<resource-scope>of*would give access to all secrets in your AWS account, which is not recommended for production use. - Click Review policy to check the results.
- Give your inline policy a name.
- Click on Create policy to complete the creation and have it added to your role.