b. Create IAM Role

In this step, we will create an IAM role for Amazon ECS Task Execution.

AWS Batch uses Amazon ECS to create the compute environment. The task execution role grants the Amazon ECS container permission to make AWS API calls on your behalf.

Run the following commands in your Cloud9 terminal to create a task execution IAM role.

  1. Create a file named ecs-tasks-trust-policy.json that contains the trust policy to use for the IAM role as below:
cat > ecs-tasks-trust-policy.json << EOF
  "Version": "2012-10-17",
  "Statement": [
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      "Action": "sts:AssumeRole"
  1. Create an IAM role named ecsTaskExecutionRole using the trust policy created in the previous step.

aws iam create-role --role-name ecsTaskExecutionRole --assume-role-policy-document file://ecs-tasks-trust-policy.json

  1. Attach the AWS managed AmazonECSTaskExecutionRolePolicy policy to the ecsTaskExecutionRole role. This policy provides the permissions required to pull the container image from Amazon ECR private repository and to send the container logs to CloudWatch.
aws iam attach-role-policy  --role-name ecsTaskExecutionRole  --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy

You will be using this role when creating the AWS Batch Job definition later in this lab.