deploy ecs-cli fargate cluster with load balancer

Question

I am trying to create a Fargate cluster with ecs-cli using a load balancer I came up so far with a script to deploy it without, so far my script is

building image

pushing it to ECR

echo ""
echo "creating task execution role"
aws iam wait role-exists --role-name $task_execution_role 2>/dev/null || \ aws iam --region $REGION create-role --role-name $task_execution_role \
  --assume-role-policy-document file://task-execution-assume-role.json || return 1
 
echo ""
echo "adding AmazonECSTaskExecutionRole Policy"
aws iam --region $REGION attach-role-policy --role-name $task_execution_role \
  --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy || return 1
    


echo ""
echo "creating task role"
aws iam wait role-exists --role-name $task_role 2>/dev/null || \ 
aws iam --region $REGION create-role --role-name $task_role \
  --assume-role-policy-document file://task-role.json 

echo ""
echo "adding AmazonS3ReadOnlyAccess Policy"
aws iam --region $REGION attach-role-policy --role-name $task_role \
  --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess  || return 1
    
    

echo ""
echo "configuring cluster"
ecs-cli configure --cluster $CLUSTER --default-launch-type FARGATE --config-name $CLUSTER --region $REGION || return 1

ecs-cli down --force --cluster-config $CLUSTER --ecs-profile $profile_name || return 1


ecs-cli up --force --cluster-config $CLUSTER --ecs-profile $profile_name  || return 1


echo ""
echo "adding ingress rules to security groups"
aws ec2 authorize-security-group-ingress --group-id $SGid --protocol tcp \
--port 80 --cidr 0.0.0.0/0 --region $REGION || return


ecs-cli compose --project-name $SERVICE_NAME service up --create-log-groups \
  --cluster-config $CLUSTER --ecs-profile $profile_name


ecs-cli compose --project-name $SERVICE_NAME service ps \
  --cluster-config $CLUSTER --ecs-profile $profile_name

aws ec2 describe-instances --query 'Reservations[].Instances[].[InstanceId,InstanceType,PublicIpAddress,Tags[?Key==`Name`]| [0].Value]' --output table

this works. service is up and I can access it from the public ip.

I now would like to add a load balancer so I can expose a DNS with route53

Following a few other questions’ advice (this one in particular)

I came up with this

echo ""
echo "configuring cluster"
ecs-cli compose --project-name $CLUSTER create

ecs-cli configure --cluster $CLUSTER --default-launch-type FARGATE --config-name $CLUSTER --region $REGION 


echo ""
echo "creating a new AWS CloudFormation stack called amazon-ecs-cli-setup-"$CLUSTER


ecs-cli up --force --cluster-config $CLUSTER --ecs-profile $profile_name 

echo "create elb & add a dns CNAME for the elb dns"
aws elb create-load-balancer --load-balancer-name $SERVICE_NAME --listeners Protocol="TCP,LoadBalancerPort=8080,InstanceProtocol=TCP,InstancePort=80" --subnets $subnet1 $subnet2 --security-groups $SGid --scheme internal

echo "create service with above created task definition & elb"

aws ecs create-service \
    --cluster $CLUSTER \
    --service-name ecs-simple-service-elb \
    --cli-input-json file://ecs-simple-service-elb.json




ecs-cli compose --project-name $SERVICE_NAME service up --create-log-groups \
  --cluster-config $CLUSTER --ecs-profile $profile_name

echo ""
echo "here are the containers that are running in the service"
ecs-cli compose --project-name $SERVICE_NAME service ps --cluster-config $CLUSTER --ecs-profile $profile_name

and I get the following error messages:

    create elb & add a dns CNAME for the elb dns
An error occurred (InvalidParameterException) when calling the CreateService operation: Unable to assume role and validate the listeners configured on your load balancer. Please verify that the ECS service role being passed has the proper permissions.
    INFO[0002] Using ECS task definition                     TaskDefinition="dashboard:4"
    WARN[0003] Failed to create log group dashboard-ecs in us-east-1: The specified log group already exists
    INFO[0003] Auto-enabling ECS Managed Tags
    ERRO[0003] Error creating service                        error="InvalidParameterException: subnet cannot be blank." service=dashboard
    INFO[0003] Created an ECS service                        service=dashboard taskDefinition="dashboard:4"
    FATA[0003] InvalidParameterException: subnet cannot be blank.
    
    here are the containers that are running in the service
    Name                                            State                  Ports       TaskDefinition  Health
    dashboard/4d0ebb65b20e4010b93cb99fb5b9e21d/web  STOPPED ExitCode: 137  80->80/tcp  dashboard:4     UNKNOWN

My task execution role and task role have this policy attached

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
          "Service": "ecs-tasks.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }
  

and the JSON I pass to create service is (copied from the documentation):

{
    "serviceName": "dashboard",
    "taskDefinition": "dashboard",
    "loadBalancers": [
        {
            "loadBalancerName": "dashboard",
            "containerName": "dashboard",
            "containerPort": 80
        }
    ],
    "desiredCount": 10,
    "role": "ecsTaskExecutionRole"
}

what permissions am I missing and what should I change?

Answer 1

IIRC, your ECS service role should have AmazonEC2ContainerServiceRole role permissions to access your ELB and validate the listeners.

See here - https://aws.amazon.com/premiumsupport/knowledge-center/assume-role-validate-listeners/ and here - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs_managed_policies.html#AmazonEC2ContainerServiceRole