You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After some questions and testing, I have established the following best practices around batch IAM roles:
The service role is not required on compute environments. A default service role is created automatically when creating the first compute environment that has that role unspecified.
The compute environment instance role should not have any additional permissions added to it beyond those required for ECS. Strangely, it is required, and because it is passed to EC2 instances it actually requires an associated profile. We create all that in the cirrus-geo built-ins.
Custom permissions required by a batch job should be specified on a role specific to that batch job, and provided as the job definition job role.
The purpose of a batch job execution role is still unclear to me, and I see no reason to use it (save for with fargate tasks where it is required, but I haven't used those so I don't know what all it needs permissions-wise). Unless, of course, someone can provide an explanation what problems it can solve better than the other roles.
As a result, here are three clear action items for cirrus:
All the custom perms we've been stuffing into the instance role should move to a batch job role (specified on the batch job via JobRoleArn in the ContainerProperties). We can create a builtin role name BatchJobRole with the base set of permissions, but encourage users to create on role per task with the unique set of permission per task specified there.
We should remove the BatchServiceRole and all references to it.
The BatchInstanceRole should be updated to have the ECS permission set and nothing more.
The text was updated successfully, but these errors were encountered:
After some questions and testing, I have established the following best practices around batch IAM roles:
The purpose of a batch job execution role is still unclear to me, and I see no reason to use it (save for with fargate tasks where it is required, but I haven't used those so I don't know what all it needs permissions-wise). Unless, of course, someone can provide an explanation what problems it can solve better than the other roles.
As a result, here are three clear action items for cirrus:
JobRoleArn
in theContainerProperties
). We can create a builtin role nameBatchJobRole
with the base set of permissions, but encourage users to create on role per task with the unique set of permission per task specified there.BatchServiceRole
and all references to it.BatchInstanceRole
should be updated to have the ECS permission set and nothing more.The text was updated successfully, but these errors were encountered: