AWS Open Distro for OpenTelemetry

Create IAM Role

Create IAM Role

To run a task in ECS with AWS OpenTelemetry Collector, we need two different roles- TaskRole and TaskExecutionRole. In this section, we will create these two roles with proper IAM policies.




1. Create TaskRole

The TaskRole is the IAM role used by the task itself. For example, if your container wants to call other AWS services like Amazon CloudWatch, AWS X-Ray, etc then those permissions would need to be covered by the TaskRole.

1.1. Go to AWS Management Console

Go to AWS Management Console and open the IAM Roles page.

1.2. Create Role

Click the Create Role button on top-left corner.

Diagram

1.3. Select Elastic Container Service

Diagram

1.4. Select Use Case

In the bottom of the same page, click the Elastic Container Service Task and click Next: permissions button to go to the next page.

Diagram

1.5. Attach Policy to the Role

Search for and select the policy (AWSDistroOpenTelemetryPolicy) we created in our previous Create IAM Policy tutorial. Click Next: Tags button to go to the next page.

Diagram

1.6. Add Role Name and Description

Put a role name (i.e. AWSOTTaskRole) and role description. Click the Create Role button and finish the process.

Diagram



2. Create TaskExecutionRole

The TaskExecutionRole grants Amazon ECS permissionS to make AWS API calls on your behalf.

2.1. Repeat steps from previous section

Repeat the following steps (1.1 to 1.4) from Create TaskRole section-

  • 1.1 Go to AWS Management Console
  • 1.2 Create Role
  • 1.3 Select Elastic Container Service
  • 1.4 Select Use Case
  • 1.5 Attach Plolicy to the Role

2.2 Attach AmazonECSTaskExecutionRolePolicy Policy

Search for and Select the AmazonECSTaskExecutionRolePolicy Policy.

Diagram

2.3 Attach CloudWatchLogsFullAccess Policy

Search for and Select the CloudWatchLogsFullAccess Policy.

Diagram

2.3 Attach AmazonSSMReadOnlyAccess Policy

Search for and Select the AmazonSSMReadOnlyAccess Policy. Click Next: Tags button to go to the next page.

Diagram

2.4 Add Role Name and Description

Click Next: Review button to go to the next page, put a role name (i.e. AWSOTTaskExcutionRole) and description. Click the Create Role button and finish the process.

Diagram