Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Cannot create ECS Service via CloudFormation

I create the following CloudFormation template files to create ECS Cluster and TaskDefinition, Service but got an error. What's wrong these settings?

  1. When create ECS Service using the following templates, got Please verify that the ECS service role being passed has the proper permissions
  2. When create the templates without a property Role: !ImportValue "IAMRoleECSService" , does not occur errors, but does not finish from CREATE_IN_PROGRESS

ECSApplicationService:
  Type: "AWS::ECS::Service"
  DependsOn:
    - "ECSApplicationCluster"
    - "ECSApplicationTaskDefinition"
  Properties:
    Cluster: !Ref "ECSApplicationCluster"
    DeploymentConfiguration:
      MaximumPercent: 100
      MinimumHealthyPercent: 50
    DesiredCount: 4
    LoadBalancers:
      - ContainerName: !Ref "ContainerAppName"
        ContainerPort: 80
        TargetGroupArn: !ImportValue "ALBTargetGroup"
    Role: !ImportValue "IAMRoleECSService"
    ServiceName: "ecs-application-service"
    TaskDefinition: !Ref "ECSApplicationTaskDefinition"

IAMRoleECSService:
  Type: "AWS::IAM::Role"
  Properties:
    RoleName: "ecs-service"
    AssumeRolePolicyDocument:
      Version: "2012-10-17"
      Statement:
        - Effect: "Allow"
          Principal:
            Service:
              - "ecs.amazonaws.com"
          Action:
            - "sts:AssumeRole"
    Policies:
      - PolicyName: "ec2-management"
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Action:
                - "ec2:AuthorizeSecurityGroupIngress"
                - "ec2:Describe*"
              Resource: "*"
      - PolicyName: "alb-management"
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Action:
                - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
                - "elasticloadbalancing:DeregisterTargets"
                - "elasticloadbalancing:DescribeTargetGroups"
                - "elasticloadbalancing:DescribeTargetHealth"
                - "elasticloadbalancing:Describe*"
                - "elasticloadbalancing:RegisterInstancesWithLoadBalancer"
                - "elasticloadbalancing:RegisterTargets"
              Resource: "*"

What should I do?

like image 542
Yohsuke Inoda Avatar asked Dec 04 '17 14:12

Yohsuke Inoda


People also ask

Does ECS use CloudFormation?

Deploying Microservices with Amazon ECS, AWS CloudFormation, and an Application Load Balancer. This reference architecture provides a set of YAML templates for deploying microservices to Amazon EC2 Container Service (Amazon ECS) with AWS CloudFormation.

How do I enable ECS?

The institutional User has to first register with a ECS Centre. The User has to also obtain the consent of beneficiaries and get their bank account particulars prior to participation in the ECS Credit scheme. ECS Credit payments can be put through by the ECS User only through his / her bank (known as the Sponsor bank).


1 Answers

UPDATE: As of July 19th 2018, it is now possible to create a IAM Service-Linked Roles using CloudFormation https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html.

   EcsServiceLinkedRole:
    Type: "AWS::IAM::ServiceLinkedRole"
    Properties:
      AWSServiceName: "ecs.amazonaws.com"
      Description: "Role to enable Amazon ECS to manage your cluster."

OLD ANSWER: ECS now rely on a Service-Linked Roles instead of normal roles. Make sure you have created it for the account using:

aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com

Then remove the Role parameter from your IAMRoleECSService as it's no longer needed.

like image 77
Laurent Jalbert Simard Avatar answered Sep 21 '22 20:09

Laurent Jalbert Simard