18

I'm trying to deploy a container to ECS (Fargate) via aws cli. I'm able to create the task definition successfully, the problem comes when I want to add a new service to my Fargate cluster.

This is the command a execute:

aws ecs create-service --cli-input-json file://aws_manual_cfn/ecs-service.json

This is the error that I'm getting:

An error occurred (InvalidParameterException) when calling the CreateService operation: You cannot specify an IAM role for services that require a service linked role.`

ecs-service.json

{
"cluster": "my-fargate-cluster",
"role": "AWSServiceRoleForECS",
"serviceName": "dropinfun-spots",
"desiredCount": 1,
"launchType": "FARGATE",
"networkConfiguration": {
    "awsvpcConfiguration": {
        "assignPublicIp": "ENABLED",
        "securityGroups": ["sg-06d506f7e444f2faa"],
        "subnets": ["subnet-c8ffcbf7", "subnet-1c7b6078", "subnet-d47f7efb", "subnet-e704cfad", "subnet-deeb43d1", "subnet-b59097e8"]
     }
},
"taskDefinition": "dropinfun-spots-task",
"loadBalancers": [
    {
        "targetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:************:targetgroup/dropinfun-spots-target-group/c21992d4a411010f",
        "containerName": "dropinfun-spots-service",
        "containerPort": 80
    }
]
}

task-definition.json

{
"family": "dropinfun-spots-task",
"executionRoleArn": "arn:aws:iam::************:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS",
"memory": "0.5GB",
"cpu": "256",
"networkMode": "awsvpc",
"requiresCompatibilities": [
  "FARGATE"
],
"containerDefinitions": [
  {
    "name": "dropinfun-spots-service",
    "image": "************.dkr.ecr.us-east-1.amazonaws.com/dropinfun-spots-service:latest",
    "memory": 512,
    "portMappings": [
        {
          "containerPort": 80
        }
      ],
    "essential": true
  }
]
}

Any idea on how to manage this linked-role error?

JustLudo
  • 1,690
  • 12
  • 29
Juan Pablo García
  • 181
  • 1
  • 1
  • 3
  • 3
    I got this error a different reason (adding a second target group to a service): "The service-linked role is required if your task definition uses the awsvpc network mode or if the service is configured to use service discovery, an external deployment controller, multiple target groups, or Elastic Inference accelerators in which case you should not specify a role here." – Andy Jul 11 '20 at 04:44

2 Answers2

16

Since you are trying to create Fargate launch type tasks, you set the network mode to awsvpc mode in task definition (Fargate only support awsvpc mode).

In your ecs-service.json, I can see that it has "role": "AWSServiceRoleForECS". It seems that you are trying to assign a service role for this service. AWS does not allow you to specify an IAM role for services that require a service linked role.

If you assigned the service IAM role because you want to use a load balancer, you can remove it. Because task definition that use awsvpc network mode use service-linked role, which is created for you automatically[1].

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using-service-linked-roles.html#create-service-linked-role

CornSmith
  • 1,957
  • 1
  • 19
  • 35
Veck Hsiao
  • 591
  • 2
  • 8
  • 20
  • 1
    Hi! Can you tell me please what is the difference between service role and service linked role? And can I theoretically create this service linked role in my template using the exact same trust/permission policies as in `AWSServiceRoleForECS`? Will it work then? – Ruslan Plastun Aug 21 '18 at 05:08
  • Please take a look at the first paragraph [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) > A service-linked role is a unique type of IAM role that is linked directly to Amazon ECS. Service-linked roles are predefined by Amazon ECS and include all the permissions that the service requires to call other AWS services on your behalf. – Veck Hsiao Aug 21 '18 at 06:37
  • 2
    A service role is just a regular role automatically created for you in the Amazon ECS console, with the principal set to a service. While service-linked role, on the other hand, has several features and restrictions that can't be placed on a service role. You can't create a serviced-linked role and attach it to a service role. They are two different things. Yes, you can create a service linked role with the same permission policies as AWSServiceRoleForECS(which is actually a service-linked role). – Veck Hsiao Aug 21 '18 at 06:37
  • Thanks, but it seems to me that you said two opposite things: **You can't create a serviced-linked role** and then **Yes, you can create a service linked role**. What am I getting wrong? Can I create a copy of a service-linked role in a CFN template and use it as one or not? – Ruslan Plastun Aug 21 '18 at 14:30
  • 1
    Sorry for my poor grammar. What I mean is that yes you can create a service linked role. But you cannot attach a service linked role to a service role. – Veck Hsiao Aug 21 '18 at 14:36
2

Instead of specifying "role": "AWSServiceRoleForECS"

you can specify taskRoleArn in addition to executionRoleArn if you want to assign a specific role to your service (container). It will be useful if you want your container to access other AWS services on your behalf.

task-definition.json

{
"family": "dropinfun-spots-task",
"executionRoleArn": "arn:aws:iam::************:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS",
"taskRoleArn" : "here_you_can_define_arn_of_a_specific_iam_role"
"memory": "0.5GB",
"cpu": "256",
"networkMode": "awsvpc",
"requiresCompatibilities": [
  "FARGATE"
],
"containerDefinitions": [
  {
    "name": "dropinfun-spots-service",
    "image": "************.dkr.ecr.us-east-1.amazonaws.com/dropinfun-spots-service:latest",
    "memory": 512,
    "portMappings": [
        {
          "containerPort": 80
        }
      ],
    "essential": true
  }
]
}

off-note: It is very bad practice to post aws account_id :"{

Manmay Barot
  • 165
  • 1
  • 8