I create the following CloudFormation template files to create ECS Cluster and TaskDefinition, Service but got an error. What's wrong these settings?
Please verify that the ECS service role being passed has the proper permissions
Role: !ImportValue "IAMRoleECSService"
, does not occur errors, but does not finish from CREATE_IN_PROGRESS
ECSApplicationService:
Type: "AWS::ECS::Service"
DependsOn:
- "ECSApplicationCluster"
- "ECSApplicationTaskDefinition"
Properties:
Cluster: !Ref "ECSApplicationCluster"
DeploymentConfiguration:
MaximumPercent: 100
MinimumHealthyPercent: 50
DesiredCount: 4
LoadBalancers:
- ContainerName: !Ref "ContainerAppName"
ContainerPort: 80
TargetGroupArn: !ImportValue "ALBTargetGroup"
Role: !ImportValue "IAMRoleECSService"
ServiceName: "ecs-application-service"
TaskDefinition: !Ref "ECSApplicationTaskDefinition"
IAMRoleECSService:
Type: "AWS::IAM::Role"
Properties:
RoleName: "ecs-service"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "ecs.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: "ec2-management"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "ec2:AuthorizeSecurityGroupIngress"
- "ec2:Describe*"
Resource: "*"
- PolicyName: "alb-management"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
- "elasticloadbalancing:DeregisterTargets"
- "elasticloadbalancing:DescribeTargetGroups"
- "elasticloadbalancing:DescribeTargetHealth"
- "elasticloadbalancing:Describe*"
- "elasticloadbalancing:RegisterInstancesWithLoadBalancer"
- "elasticloadbalancing:RegisterTargets"
Resource: "*"
What should I do?
Deploying Microservices with Amazon ECS, AWS CloudFormation, and an Application Load Balancer. This reference architecture provides a set of YAML templates for deploying microservices to Amazon EC2 Container Service (Amazon ECS) with AWS CloudFormation.
The institutional User has to first register with a ECS Centre. The User has to also obtain the consent of beneficiaries and get their bank account particulars prior to participation in the ECS Credit scheme. ECS Credit payments can be put through by the ECS User only through his / her bank (known as the Sponsor bank).
UPDATE: As of July 19th 2018, it is now possible to create a IAM Service-Linked Roles using CloudFormation https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html.
EcsServiceLinkedRole:
Type: "AWS::IAM::ServiceLinkedRole"
Properties:
AWSServiceName: "ecs.amazonaws.com"
Description: "Role to enable Amazon ECS to manage your cluster."
OLD ANSWER: ECS now rely on a Service-Linked Roles instead of normal roles. Make sure you have created it for the account using:
aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com
Then remove the Role
parameter from your IAMRoleECSService
as it's no longer needed.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With