I am currently running Drone in an ECS cluster and have created the Drone server and Agent as separate ECS tasks. Our build pipelines provision both infrastructure and deploy code all in the same pipelines. This means that the Drone agents need very liberal permissions when interacting with AWS in order to create and destroy infrastructure.
I had initially put these permissions at the EC2 instance level but obviously that means that everything in the cluster (there are other non-Drone related containers running) now has these crazy permissions. I decided to change the cluster to only give minimal permissions to the Drone server and other unrelated containers and the more elevated permissions to the agents.
However, unfortunately, in order to use Task IAM roles an environment variable in the container called AWS_CONTAINER_CREDENTIALS_RELATIVE_URI needs to be set dynamically based on the UUID of the task (more info here). The problem, of course, is that this is available in the agent container but not in any of the pipelines’ containers, thus, any AWS cli commands (both the CLI and SDK rely on this variable) that rely on the permissions set in the Task IAM role will fail unless they are also present in the EC2 instance the container is running on. This is obviously suboptimal from a security point of view.
There is also a way to set an IAM role at the ECS service level (services are composed of one or more tasks) but unfortunately that only works if the service has a load balancer; having to assign a load balancer to every service regardless of whether they need one or not also feels suboptimal. Is there a way around this that I’m not seeing?