aws_ecs: FargateTaskDefinition always adds default policy to execution role even when role is provided explicitly

[juliangrueber]

Describe the bug

I want to manage the task execution policy my self such as its attached policies. In particular, I would like to attach metadata to specific policies to add cfn_nag ignore statements.
This is not work if policies are attached behind the scenes.
In addition, the docs do that state this behaviour

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

CDK does not attach any inline policies to the provided task execution IAM role.

Current Behavior

Even though all required permissions are already attached to the custom task execution role, CDK attaches the default execution policy.

Reproduction Steps

Create a FargateTaskDefinition with your custom execution role with custom inline permissions. Once deployed, look at the attached inline policies of that role. There will be the default execution policy be attached.

Possible Solution

Do not attach the default policy

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

/local/home/****/***** └── (empty)

AWS CDK CLI version

2.1030.0 (build e46adaf)

Node.js Version

v24.5.0

OS

Linux CentOS

Language

Python

Language Version

Python 3.12

Other information

No response

[pahud]

Hi @juliangrueber,

Thank you for reporting this issue. The behavior you're observing appears to be by design in the current CDK implementation, though I understand it doesn't meet your use case for managing execution role policies with custom metadata.

When you provide a custom execution role to a FargateTaskDefinition, CDK still automatically adds inline policies to that role when:

1. ECR images are used: The EcrImage.bind() method calls repository.grantPull() on the execution role
2. CloudWatch Logs are configured: The AwsLogDriver.bind() method adds CloudWatch Logs permissions

This happens because these components call obtainExecutionRole(), which returns your custom role, and then add policies to it without checking whether it was user-provided.

While this behavior ensures tasks have the necessary permissions to function, it does prevent you from having full control over the execution role's policies and their metadata for tools like cfn_nag.

Potential solutions could include:

• Adding a flag to disable automatic policy additions when a custom execution role is provided
• Modifying CDK to detect user-provided roles and skip automatic policy additions
• Using managed policies instead of inline policies for automatic grants

Would you be interested in contributing a PR to address this? The change would likely need to be made in the TaskDefinition class and the various image/log driver implementations to respect a flag indicating that automatic policy additions should be skipped.

In the meantime, as a workaround, you might consider escape hatches to replace the CDK-generated inline policies with your own managed policies that include cfn_nag metadata:

e.g.

# Let CDK create the execution role and add its policies
task_def = ecs.FargateTaskDefinition(self, "TaskDef", ...)

# Access the CloudFormation resource
cfn_task_def = task_def.node.default_child

# Remove the inline policies CDK added
cfn_execution_role = task_def.execution_role.node.default_child
cfn_execution_role.add_property_override("Policies", [])

# Add your custom managed policy with metadata
custom_policy = iam.ManagedPolicy(self, "CustomExecutionPolicy",
   statements=[...],  # Your required permissions
)
custom_policy.attach_to_role(task_def.execution_role)

# Add cfn_nag metadata to your custom policy
cfn_custom_policy = custom_policy.node.default_child
cfn_custom_policy.add_metadata("cfn_nag", {...})

Let me know if it helps and we welcome PRs to improve this user experience.