Confused by the role requirement of ECS

amazon-iam amazon-ecs
18,040

Solution 1

The only necessary role is the Container Instance IAM role. This role allows the ECS agent (running on your EC2 instance) to communicate with Amazon ECS.

There are five other roles that you may also find useful, for different purposes:

  • ECS Service-Linked role (SLR) - This role enables Amazon ECS to manage a variety of AWS resources associated with your application on your behalf. When using a Service, this role allows Amazon ECS to manage the load balancer (Classic Load Balancers, Application Load Balancers, and Network Load Balancers) and service discovery (with Route 53) associated with your service. When using task networking, this role allows Amazon ECS to attach and detach Elastic Network Interfaces (ENIs) to your tasks. This role is required when using AWS Fargate.
  • Service Scheduler IAM role - Prior to the introduction of the ECS Service-Linked role (SLR), this role was used in conjunction with a Service to enable Amazon ECS to manage the load balancer associated with your service. If you want to use an Elastic Load Balancer (whether a Classic Load Balancer, an Application Load Balancer, or a Network Load Balancer) with your ECS service, you can use this role. Now that the ECS SLR is available you can use either of the two roles, but you may still wish to use this role if you want to restrict the permissions that are granted to Amazon ECS to cover specific load balancer resources.
  • Auto Scaling IAM role - This role is used in conjunction with a Service and allows the Application Auto Scaling service to scale the desired count of your Service in or out.
  • Task IAM role - This role can be used with any Task (including Tasks launched by a Service). This role is very similar to an EC2 instance profile, but allows you to associate permissions with individual Tasks rather than with the underlying EC2 instance that is hosting those Tasks. If you are running a number of different applications across your ECS cluster with different permissions required, you can use the Task IAM role to grant specific permissions to each Task rather than ensuring that every EC2 instance in your cluster has the combined set of permissions that any application would need.
  • Task execution role - This role is required when using AWS Fargate and replaces the Container Instance IAM role, which is unavailable for the FARGATE launch type. This role enables AWS Fargate to pull your container images from Amazon ECR and to forward your logs to Amazon CloudWatch Logs. This role is also used (on both the Fargate and the EC2 launch types) to enable private registry authentication and secrets from AWS Secrets Manager and AWS Systems Manager Parameter Store.

Solution 2

Using my Administrator role, when creating an ECS Cluster, I too was blocked by... "ECS Cluster Unable to assume the service linked role. Please verify that the ECS service linked role exists."

And I verified that indeed the role, AWSServiceRoleForECS, existed.

The Fix? By exercising the "Get Started" wizard, it (re)configured something under the covers and now my Administrator roles is allowed to assume AWSServiceRoleForECS and successfully creates cluster.

Solution 3

In addition to this very good explanation of @samuel-karp, today I ran into a problem when migrating from classic ELB to the ALB in combination of custom task_role_arn for ECS services.

Although I followed the instructions described behind the link Task IAM role, the Error was

Unable to assume role and validate the specified targetGroupArn. Please verify that the ECS service role being passed has the proper permissions.

The thing is that the service seems to register itself at the load balancer. It only worked when I exchanged the Principal from ecs.amazonaws.com to

"Principal": { "Service": "ecs-tasks.amazonaws.com" }

Share:
18,040

Related videos on Youtube

Jason Lee
Author by

Jason Lee

Updated on September 18, 2022

Comments

  • Jason Lee
    Jason Lee over 1 year

    I am trying to set up a ECS but so far I have encountered a few permission issue for which I have created some questions on this forum already.

    I think I am stuck so far because honestly I cannot find out all these role requirements in one place concisely.

    It seems like I need to define at least two roles:

    1) ECS container http://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html

    2) ECS task http://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html#enable_task_iam_roles

    Is it correct?

    Did I miss out anything? Is there any special IAM requirement?

  • Dustin Oprea
    Dustin Oprea over 2 years
    Any idea what happens and who wins in EC2 when there is both a service role (e.g. ecsServiceRole) and an EC2 role (e.g. ecsInstanceRole). Is it always the latter? I just had a problem publishing to SNS, updated the service role, and, when it failed, I only then noticed that the error actually mentioned my instance role.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Difference between AWS Elastic Container Service's (ECS) ExecutionRole and TaskRole
Unable to find .aws directory
ECS/ECR: is common practice to have one repository per image (and associated versions)?
Codepipeline: Insufficient permissions Unable to access the artifact with Amazon S3 object key
How to configure hostname in ECS Fargate task definition
An error occurred: Policy document should not specify a principal
Invoking AWS Step function from Lambda in python
AWS API Gateway: How to pass IAM identity to Lambda function?
clone AWS codecommit repo via HTTP
Amazon RDS IAM PAM Auth failed