Beta

Chaos Engineering

Chaos Engineering on Serverless Fargate

Demo Fargate IAM role creation

In this walkthrough, you'll learn how to create an IAM role for running chaos experiments on Amazon ECS Fargate using AWS Fault Injection Simulator (FIS). By the end, your ECS-Fargate-FIS-Role will have the permissions needed for logging, SSM commands, and ECS operations.

Prerequisites

  • An AWS account with permissions to create roles and attach policies (iam:CreateRole, iam:AttachRolePolicy).
  • Basic familiarity with AWS IAM, ECS Fargate, and AWS FIS.

Step 1: Start Role Creation

  1. Open the AWS IAM console and click Create role.
  2. Under Select trusted entity, choose AWS service.
  3. From the service list, select AWS Fault Injection Simulator (FIS).
  4. In the Use case section, pick ECS Fargate since your experiments will target Fargate tasks.

The image shows an AWS console interface where a user is selecting a use case for the Fault Injection Simulator (FIS) service, with options for different types of access like EC2, ECS, and EKS.

Note

Selecting the correct trusted entity and use case ensures FIS can assume this role during experiments.

Step 2: Configure Role Details

  1. Click Next to proceed to the role details page.
  2. Enter a descriptive name, for example ECS-Fargate-FIS-Role.
  3. (Optional) Add a description such as “Role for FIS chaos experiments on ECS Fargate.”
  4. Click Create role to finalize.

The image shows an AWS console interface for creating a role, with fields for entering a role name and description, and a section for selecting trusted entities and trust policy details.

Step 3: Attach Required IAM Policies

Now that the role exists, attach the following managed policies to grant FIS the necessary permissions:

Policy NamePurpose
CloudWatch Logs Full AccessAllow FIS to write experiment logs to CloudWatch Logs
AmazonSSMFullAccessEnable running SSM documents (commands) during the experiment
AWSFaultInjectionSimulatorECSAccessGrant FIS permissions specific to ECS operations on Fargate

The image shows an AWS Identity and Access Management (IAM) interface with a list of permission policies attached to a role. The policies include AmazonSSMFullAccess, AWSFaultInjectionSimulatorECSAccess, and CloudWatchLogsFullAccess.

Warning

For production environments, consider using least-privilege custom policies rather than full-access managed policies.

Finalize and Verify

Your IAM role ECS-Fargate-FIS-Role is now ready. You can reference this role ARN when creating FIS experiments targeting ECS Fargate tasks.

Watch Video

Watch video content

Previous
Demo Fargate Steady State
Next
Demo Run experiment Task IO stress