Internship Report > Workshop > Prerequisite - IAM roles and policy baseline

Prerequisite - IAM roles and policy baseline

1. Prepare ECS task execution role (stack baseline)

Open IAM Console - Roles - Create role.
Select trusted entity AWS service.
Select service Elastic Container Service.
Select use case Elastic Container Service Task.
Click Next.
Search and select managed policy AmazonECSTaskExecutionRolePolicy.
Click Next.
Enter role name MyfitInfraStack-TaskExecutionRole.
Enter description Allows ECS tasks to call AWS services on your behalf.
Click Create role.

2. Add execution role inline policy (ECR, Logs, Secrets)

Open role MyfitInfraStack-TaskExecutionRole.
Click Add permissions - Create inline policy.
In JSON editor, add permissions equivalent to your stack policy TaskExecutionRoleDefaultPolicy.
Keep at least these actions and resources:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:BatchCheckLayerAvailability",
        "ecr:BatchGetImage",
        "ecr:GetDownloadUrlForLayer"
      ],
      "Resource": "arn:aws:ecr:us-east-1:<your-service-arn-id>:repository/myfit-backend"
    },
    {
      "Effect": "Allow",
      "Action": "ecr:GetAuthorizationToken",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:us-east-1:<your-service-arn-id>:log-group:<your-service-arn-id>:*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:DescribeSecret",
        "secretsmanager:GetSecretValue"
      ],
      "Resource": [
        "arn:aws:secretsmanager:us-east-1:<your-service-arn-id>:secret:<your-service-arn-id>",
        "arn:aws:secretsmanager:us-east-1:<your-service-arn-id>:secret:<your-service-arn-id>"
      ]
    }
  ]
}

Save as inline policy TaskExecutionRoleDefaultPolicy.

3. Prepare ECS task role (application data access)

Open IAM role MyfitInfraStack-TaskRole.
Edit inline policy TaskRoleDefaultPolicy07FC53DE.
Confirm S3 access policy covers bucket crawl.fitness and object path crawl.fitness/*.

4. Service-level policies required outside IAM role

Some permissions must be configured in the target service, not only in IAM role.

4.1 S3 bucket policy for CloudFront origin access

Open S3 bucket used for frontend origin.
Open Permissions - Bucket policy - Edit.
Add CloudFront read statement with AWS:SourceArn of your distribution.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowCloudFrontServicePrincipalReadOnly",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudfront.amazonaws.com"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<your-frontend-bucket>/*",
      "Condition": {
        "StringEquals": {
          "AWS:SourceArn": "arn:aws:cloudfront::<your-service-arn-id>:distribution/<your-service-arn-id>"
        }
      }
    }
  ]
}

4.2 Secret value lifecycle for Bedrock key

Keep Bedrock API key in Secrets Manager secret myfit/bedrock-api-key.
When key rotates, update secret value and redeploy ECS service to refresh runtime value.

5. Prerequisite completion checklist

Confirm execution role exists and trust policy principal is ecs-tasks.amazonaws.com.
Confirm managed policy AmazonECSTaskExecutionRolePolicy is attached.
Confirm execution role inline policy includes ECR, logs, and Secrets Manager read permissions.
Confirm Bedrock secret ARN is included in execution role policy resources.
Confirm task role inline policy allows S3 actions for crawl.fitness bucket.
Confirm S3 bucket policy for frontend origin allows CloudFront service principal with distribution SourceArn.
Confirm ECS task definition maps secret name BEDROCK_API_KEY from Secrets Manager.