Both EC2 Instance Profile and Task Execution Role are said to be used by ECS agent, then why do we need both of them? for example, the ECS agent needs a permission to "Pull down docker images from ECR", should I add this permission in EC2 Instance Profile or Task Execution Role then?
There is some overlap because ECS supports both EC2 and Fargate deployment types, and Fargate doesn't have instance profiles at all, so Fargate deployments have to have all those permissions assigned to the Task Execution Role.
For EC2 deployments, the ECS agent gets permissions from the EC2 instance profile, but the container may still need a Task Execution role for certain things, like access to secrets in Secrets Manager/SSM Parameter Store.
There are a set of bullet points at the top of this documentation page that list the reasons Fargate deployments need a Task Execution role, and a separate list of reasons that EC2 deployments need a Task Execution role.