IAM Role


  • In order to manage the instances running on-prem AWS Systems Manager agent will install on customer managed operating systems and turn those operating systems into “managed instances.”
  • A new converged version of the existing open source Amazon ECS agent will install on these managed instances (leveraging SSM Distributor, for example).
  • These instances will register into an ECS cluster previously defined in the control plane in the Region.
  • So in order for the SSM agent to connect back to ECS control plane, we need to create an IAM role with principal as ssm.amazon.com and assign AmazonSSMManagedInstanceCore and AmazonEC2ContainerServiceforEC2Role policies to it.

Here is the high level description of what each of these policies are responsible for:

Create IAM roles

Run the following command from the root directory to create role and associate IAM policies required for setting up the ECS-anywhere cluster

aws iam create-role --role-name $ROLE_NAME --assume-role-policy-document file://ssm-trust-policy.json
aws iam attach-role-policy --role-name $ROLE_NAME --policy-arn arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
aws iam attach-role-policy --role-name $ROLE_NAME --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role

# Verify
aws iam list-attached-role-policies --role-name $ROLE_NAME