Permission issue for an ECS Service to use an ALB

1
votes

I am trying to deploy an ECS stack with an ALB using cloudformation, and i get an error at the Service creation, which seems to be a missing permission to access the load balancer.

Here is the error: Unable to assume role and validate the specified targetGroupArn. Please verify that the ECS service role being passed has the proper permissions.

Here is the service definition:

    "EcsService": {
      "Type":"AWS::ECS::Service",
      "DependsOn": [
        "loadBalancer",
        "EcsServiceRole"
      ],
      "Properties":{
        "Cluster":{
          "Ref": "EcsCluster"
        },
        "DesiredCount":"1",
        "DeploymentConfiguration":{
          "MaximumPercent":100,
          "MinimumHealthyPercent":0
        },
        "LoadBalancers": [
          {
            "ContainerName": "test-web",
            "ContainerPort": "80",
            "TargetGroupArn" : {
              "Ref": "loadBalancer"
            },
          }
        ],
        "Role":{
          "Ref": "EcsServiceRole"
        },
        "TaskDefinition":{
          "Ref": "runWebServerTaskDefinition"
        }
      }
    }

Here is the Load Balancer definition:

    "loadBalancer" : {
      "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
      "Properties": {
        "Name": "testalb",
        "Scheme" : "internal",
        "Subnets" : [
          "subnet-b8217295",
          "subnet-ddaad2b8",
          "subnet-6d71fb51"
        ],
        "LoadBalancerAttributes" : [
          { "Key" : "idle_timeout.timeout_seconds", "Value" : "50" }
        ],
        "SecurityGroups": [
          { "Ref": "InstanceSecurityGroupOpenWeb" },
          { "Ref" : "InstanceSecurityGroupOpenFull" }
        ],
        "Tags" : [
          { "Key" : "key", "Value" : "value" },
          { "Key" : "key2", "Value" : "value2" }
        ]
      }
    }

Here is the IAM role the service should use:

    "EcsServiceRole": {
      "Type":"AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement":[
            {
              "Effect":"Allow",
              "Principal":{
                "Service":[
                  "ecs.amazonaws.com"
                ]
              },
              "Action":[
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path":"/",
        "Policies":[
          {
            "PolicyName":"ecs-service",
            "PolicyDocument":{
              "Statement":[
                {
                  "Effect":"Allow",
                  "Action":[
                    "elasticloadbalancing:*",
                    "ec2:*"
                  ],
                  "Resource":"*"
                }
              ]
            }
          }
        ]
      }
    }

I didn't find if there is a specific namespace for ALB in IAM. Do you have an idea?

2
amazon-cloudformationamazon-iamamazon-ecs

2 Answers

3
votes

TargetGroupArn should be pointing to TargetGroup ARN, not ALB ARN, Currently, it is pointed to Load Balancer ARN. 

          "TargetGroupArn" : {
              "Ref": "loadBalancer"
            },
0
votes

UPDATE: As of July 19th 2018, it is now possible to create a IAM Service-Linked Roles using CloudFormation https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html.

   EcsServiceLinkedRole:
    Type: "AWS::IAM::ServiceLinkedRole"
    Properties:
      AWSServiceName: "ecs.amazonaws.com"
      Description: "Role to enable Amazon ECS to manage your cluster."

OLD ANSWER: Since AWS introduced Service-Linked Roles, I no longer specify a role for my AWS::ECS::Service. It will default to the service linked role which has all the necessary permissions.