Unable to assume service linked role when using ecs-cli

Question

I'm attempting to follow the ecs-cli Fargate deployment tutorial and have hit a problem attempting to deploy my service.

I am attempting to deploy my test container using ecs-cli compose --project-name tutorial-maltz service up but I am getting an error which says "InvalidParameterException: Unable to assume the service linked role. Please verify that the ECS service linked role exists.\n\tstatus code: 400, request id

So far I have created my IAM permission using the steps provided, and have verified that I have an IAM role ecsTaskExecutionRole which contains an AmazonECSTaskExecutionRolePolicy. This policy also has a trust relationship which looks like the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

All of this is being deployed off of a ecs-params.yml file which looks like the following:

version: 1
task_definition:
    task_execution_role: ecsTaskExecutionRole
    ecs_network_mode: awsvpc
    task_size:
        mem_limit: 0.5GB
        cpu_limit: 256
run_params:
    network_configuration:
        awsvpc_configuration:
            subnets:
                - "subnet-from-ecs-cli-up"
            security_groups:
                - "subnet-created-by-ecs-cli-up"
        assign_public_ip: ENABLED

I'm not really sure where to look next. Am I missing an IAM role? Do I need to add some additional parameters to my existing IAM roles?

Answer 1

For future people running into this issue, the solution was to create a service linked role for ECS as a whole. This had to be done by an admin on the AWS account.

Note that this is different than the TaskExecutionRole which you create earlier in the tutorial. The service linked role allows ECS to do things like spin up new EC2 instances and create ELB stacks. TaskExecutionRole is only for the thing that launches the tasks.