I'm attempting to follow the ecs-cli Fargate deployment tutorial and have hit a problem attempting to deploy my service.
I am attempting to deploy my test container using ecs-cli compose --project-name tutorial-maltz service up
but I am getting an error which says "InvalidParameterException: Unable to assume the service linked role. Please verify that the ECS service linked role exists.\n\tstatus code: 400, request id
So far I have created my IAM permission using the steps provided, and have verified that I have an IAM role ecsTaskExecutionRole
which contains an AmazonECSTaskExecutionRolePolicy
. This policy also has a trust relationship which looks like the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
All of this is being deployed off of a ecs-params.yml
file which looks like the following:
version: 1
task_definition:
task_execution_role: ecsTaskExecutionRole
ecs_network_mode: awsvpc
task_size:
mem_limit: 0.5GB
cpu_limit: 256
run_params:
network_configuration:
awsvpc_configuration:
subnets:
- "subnet-from-ecs-cli-up"
security_groups:
- "subnet-created-by-ecs-cli-up"
assign_public_ip: ENABLED
I'm not really sure where to look next. Am I missing an IAM role? Do I need to add some additional parameters to my existing IAM roles?
Amazon ECS uses the service-linked role named AWSServiceRoleForECS to enable Amazon ECS to call AWS APIs on your behalf. The AWSServiceRoleForECS service-linked role trusts the ecs.amazonaws.com service principal to assume the role.
To delete a service-linked role (console)Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/ . In the navigation pane of the IAM console, choose Roles. Then select the check box next to AWSServiceRoleForECS, not the name or row itself. Choose Delete role.
A unique type of service role that is linked directly to an AWS service. Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf. The linked service also defines how you create, modify, and delete a service-linked role.
For future people running into this issue, the solution was to create a service linked role for ECS as a whole. This had to be done by an admin on the AWS account.
Note that this is different than the TaskExecutionRole
which you create earlier in the tutorial. The service linked role allows ECS to do things like spin up new EC2 instances and create ELB stacks. TaskExecutionRole is only for the thing that launches the tasks.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With