Amazon EC2 Container Service (ECS) now allows you to specify an IAM role that can be used by the containers in an ECS task, as a new AWS Compute Blog post explains.
When an application makes use of the AWS SDK or CLI to make requests to the AWS API, it must sign each request with valid AWS access keys so that AWS can identify who sent the request (for example, if your application accesses an Amazon DynamoDB table). This requires you to define a strategy for managing and distributing credentials for applications to use.
Previously, you could specify an IAM role for the Amazon EC2 instances in your ECS cluster, but this resulted in all the privileges required by any task in the cluster being added to a single IAM role, potentially letting tasks use privileges that were not required. Now, you can specify an IAM role for each ECS task.
Read the blog post to learn more.