Reputation: 211
ECS CLI - You cannot specify an IAM role for services that require a service linked role
I'm trying to deploy a container to ECS (Fargate) via aws cli. I'm able to create the task definition successfully, the problem comes when I want to add a new service to my Fargate cluster.
This is the command a execute:
aws ecs create-service --cli-input-json file://aws_manual_cfn/ecs-service.json
This is the error that I'm getting:
An error occurred (InvalidParameterException) when calling the CreateService operation: You cannot specify an IAM role for services that require a service linked role.`
ecs-service.json
{
"cluster": "my-fargate-cluster",
"role": "AWSServiceRoleForECS",
"serviceName": "dropinfun-spots",
"desiredCount": 1,
"launchType": "FARGATE",
"networkConfiguration": {
"awsvpcConfiguration": {
"assignPublicIp": "ENABLED",
"securityGroups": ["sg-06d506f7e444f2faa"],
"subnets": ["subnet-c8ffcbf7", "subnet-1c7b6078", "subnet-d47f7efb", "subnet-e704cfad", "subnet-deeb43d1", "subnet-b59097e8"]
}
},
"taskDefinition": "dropinfun-spots-task",
"loadBalancers": [
{
"targetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:************:targetgroup/dropinfun-spots-target-group/c21992d4a411010f",
"containerName": "dropinfun-spots-service",
"containerPort": 80
}
]
}
task-definition.json
{
"family": "dropinfun-spots-task",
"executionRoleArn": "arn:aws:iam::************:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS",
"memory": "0.5GB",
"cpu": "256",
"networkMode": "awsvpc",
"requiresCompatibilities": [
"FARGATE"
],
"containerDefinitions": [
{
"name": "dropinfun-spots-service",
"image": "************.dkr.ecr.us-east-1.amazonaws.com/dropinfun-spots-service:latest",
"memory": 512,
"portMappings": [
{
"containerPort": 80
}
],
"essential": true
}
]
}
Any idea on how to manage this linked-role error?
Upvotes: 21
Views: 19777
Answers (2)
Reputation: 627
Since you are trying to create Fargate launch type tasks, you set the network mode to awsvpc mode in task definition (Fargate only support awsvpc mode).
In your ecs-service.json, I can see that it has "role": "AWSServiceRoleForECS". It seems that you are trying to assign a service role for this service. AWS does not allow you to specify an IAM role for services that require a service linked role.
If you assigned the service IAM role because you want to use a load balancer, you can remove it. Because task definition that use awsvpc network mode use service-linked role, which is created for you automatically[1].
Upvotes: 20
Reputation: 185
Instead of specifying "role": "AWSServiceRoleForECS"
you can specify taskRoleArn in addition to executionRoleArn if you want to assign a specific role to your service (container). It will be useful if you want your container to access other AWS services on your behalf.
task-definition.json
{
"family": "dropinfun-spots-task",
"executionRoleArn": "arn:aws:iam::************:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS",
"taskRoleArn" : "here_you_can_define_arn_of_a_specific_iam_role"
"memory": "0.5GB",
"cpu": "256",
"networkMode": "awsvpc",
"requiresCompatibilities": [
"FARGATE"
],
"containerDefinitions": [
{
"name": "dropinfun-spots-service",
"image": "************.dkr.ecr.us-east-1.amazonaws.com/dropinfun-spots-service:latest",
"memory": 512,
"portMappings": [
{
"containerPort": 80
}
],
"essential": true
}
]
}
off-note: It is very bad practice to post aws account_id :"{
Upvotes: 3
Related Questions
- Unable to assume service linked role when using ecs-cli
- AWS - IAM Roles between Fargate instances and other AWS services
- Add a specific IAM role to the ECS task definition
- ECS Fargate task not applying role
- AWS ECS Fargate not creating task AmazonECSTaskExecutionRole error
- aws cli fails to return a role policy
- Add a IAM role that is service linked role
- Can't assume role in AWS CLI, even with trust relationship
- Failed to create service linked role: AWSServiceRoleForAmazonEKSNodegroup due to missing permissions for 'iam:CreateServiceLinkedRole
- AWS cli within task/container uses instance role policy and not task role