4
votes

I am trying to migrate from Amaxon ECS EC2 to Fargate. Here I have made some changes as per recommendation from https://aws.amazon.com/blogs/compute/migrating-your-amazon-ecs-containers-to-aws-fargate/. I am using amazon cloudformation to create/update the resources.

ECSTaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
        Family : !Join ["_", [!Ref "AppName", !Ref "ComponentName", !Ref "TargetEnv" ]]
        NetworkMode: "awsvpc"
        ExecutionRoleArn: arn:aws:iam::${AWS::AccountId}:role/ecsTaskExecutionRole
        TaskRoleArn: 
            Fn::Sub: 
                [ 
                    "arn:aws:iam::${AWS::AccountId}:role/exec_dp_${TargetEnv}",
                    { 
                        TargetEnv: !Ref "TargetEnv"
                    }
                ]
        RequiresCompatibilities:
          - "FARGATE"
        Memory: "512"
        Cpu: '256'
        ContainerDefinitions:

Here the problem is when I try to create the stack it gives me error as below:

Unable to assume the service linked role. Please verify that the ECS service linked role exists

I have also tried creating service linked role something like below:

AwsEcsTaskExecutionRole:
     Type: AWS::IAM::Role
     Properties:
        Path: /
        AssumeRolePolicyDocument:
             Version: 2012-10-17
             Statement:
                     - Effect: Allow
             Principal:
             Service: ecs.amazonaws.com
             Action: sts:AssumeRole
        ManagedPolicyArns:
             - arn:aws:iam::aws:policy/aws-service-role/AmazonECSServiceRolePolicy

and then specified it as ExecutionRoleArn: !GetAtt AwsEcsTaskExecutionRole.Arn

Its not working. Any direction regarding would really help.

1

1 Answers

7
votes

Short answer:

Run this command: aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com

Long answer:

AWS introduced Service-Linked Roles. For old AWS accounts or if you never created an ECS cluster by hand in the console, you have to run the command above to have the role created.