In Amazon ECS you define two distinct IAM roles:
- Task Execution Role: used by ECS itself (or the Fargate/EC2 agent) to perform infrastructure-operations such as pulling the container image from Amazon ECR, writing logs to Amazon CloudWatch Logs, or fetching secrets.
- Task Role: assumed by the containerized application running inside the task and governs what AWS services the app can call (for example S3, DynamoDB, SQS). Noteworthy example: if you want to attach to a container (exec), it will need a few SSM (Systems Manager)