• Task Role can be applied to a specific task. Rather than using single set of unified permissions for a container instance/host, you can also define task role per task. Within AWS Fargate, since you don’t manage the underlying hosting infrastructure, you can only use Task Roles.
  • Task Execution Role: This is the role used by ECS on behalf of you to interact other services such as publish logs, access CloudFormation. ECS Agent is able to interact with AWS services.
  • ECS enables you to inject sensitive data into your containers by storing your sensitive data in either AWS Secrets Manager secrets or AWS Systems Manager Parameter Store parameters and then referencing them in your container definition. This feature is supported by tasks using both the EC2 and Fargate launch types.
  • Within your container definition, specify secrets with the name of the environment variable to set in the container and the full ARN of either the Secrets Manager secret or Systems Manager Parameter Store parameter containing the sensitive data to present to the container. The parameter that you reference can be from a different Region than the container using it, but must be from within the same account.
  • If you want a single store for configuration and secrets, you can use Parameter Store. If you want a dedicated secrets store with lifecycle management, use Secrets Manager.