ECS CLI - You cannot specify an IAM role for services that require a service linked role

Question

I'm trying to deploy a container to ECS (Fargate) via aws cli. I'm able to create the task definition successfully, the problem comes when I want to add a new service to my Fargate cluster.

This is the command a execute:

aws ecs create-service --cli-input-json file://aws_manual_cfn/ecs-service.json

This is the error that I'm getting:

An error occurred (InvalidParameterException) when calling the CreateService operation: You cannot specify an IAM role for services that require a service linked role.`

ecs-service.json

{
"cluster": "my-fargate-cluster",
"role": "AWSServiceRoleForECS",
"serviceName": "dropinfun-spots",
"desiredCount": 1,
"launchType": "FARGATE",
"networkConfiguration": {
    "awsvpcConfiguration": {
        "assignPublicIp": "ENABLED",
        "securityGroups": ["sg-06d506f7e444f2faa"],
        "subnets": ["subnet-c8ffcbf7", "subnet-1c7b6078", "subnet-d47f7efb", "subnet-e704cfad", "subnet-deeb43d1", "subnet-b59097e8"]
     }
},
"taskDefinition": "dropinfun-spots-task",
"loadBalancers": [
    {
        "targetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:************:targetgroup/dropinfun-spots-target-group/c21992d4a411010f",
        "containerName": "dropinfun-spots-service",
        "containerPort": 80
    }
]
}

task-definition.json

{
"family": "dropinfun-spots-task",
"executionRoleArn": "arn:aws:iam::************:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS",
"memory": "0.5GB",
"cpu": "256",
"networkMode": "awsvpc",
"requiresCompatibilities": [
  "FARGATE"
],
"containerDefinitions": [
  {
    "name": "dropinfun-spots-service",
    "image": "************.dkr.ecr.us-east-1.amazonaws.com/dropinfun-spots-service:latest",
    "memory": 512,
    "portMappings": [
        {
          "containerPort": 80
        }
      ],
    "essential": true
  }
]
}

Any idea on how to manage this linked-role error?

Answer 1

Since you are trying to create Fargate launch type tasks, you set the network mode to awsvpc mode in task definition (Fargate only support awsvpc mode).

In your ecs-service.json, I can see that it has "role": "AWSServiceRoleForECS". It seems that you are trying to assign a service role for this service. AWS does not allow you to specify an IAM role for services that require a service linked role.

If you assigned the service IAM role because you want to use a load balancer, you can remove it. Because task definition that use awsvpc network mode use service-linked role, which is created for you automatically[1].

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using-service-linked-roles.html#create-service-linked-role

Answer 2

Instead of specifying "role": "AWSServiceRoleForECS"

you can specify taskRoleArn in addition to executionRoleArn if you want to assign a specific role to your service (container). It will be useful if you want your container to access other AWS services on your behalf.

task-definition.json

{
"family": "dropinfun-spots-task",
"executionRoleArn": "arn:aws:iam::************:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS",
"taskRoleArn" : "here_you_can_define_arn_of_a_specific_iam_role"
"memory": "0.5GB",
"cpu": "256",
"networkMode": "awsvpc",
"requiresCompatibilities": [
  "FARGATE"
],
"containerDefinitions": [
  {
    "name": "dropinfun-spots-service",
    "image": "************.dkr.ecr.us-east-1.amazonaws.com/dropinfun-spots-service:latest",
    "memory": 512,
    "portMappings": [
        {
          "containerPort": 80
        }
      ],
    "essential": true
  }
]
}

off-note: It is very bad practice to post aws account_id :"{