ECS CLI - You cannot specify an IAM role for services that require a service linked role

8
votes

I'm trying to deploy a container to ECS (Fargate) via aws cli. I'm able to create the task definition successfully, the problem comes when I want to add a new service to my Fargate cluster.

This is the command a execute:

aws ecs create-service --cli-input-json file://aws_manual_cfn/ecs-service.json

This is the error that I'm getting:

An error occurred (InvalidParameterException) when calling the CreateService operation: You cannot specify an IAM role for services that require a service linked role.`

ecs-service.json

{
"cluster": "my-fargate-cluster",
"role": "AWSServiceRoleForECS",
"serviceName": "dropinfun-spots",
"desiredCount": 1,
"launchType": "FARGATE",
"networkConfiguration": {
    "awsvpcConfiguration": {
        "assignPublicIp": "ENABLED",
        "securityGroups": ["sg-06d506f7e444f2faa"],
        "subnets": ["subnet-c8ffcbf7", "subnet-1c7b6078", "subnet-d47f7efb", "subnet-e704cfad", "subnet-deeb43d1", "subnet-b59097e8"]
     }
},
"taskDefinition": "dropinfun-spots-task",
"loadBalancers": [
    {
        "targetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:************:targetgroup/dropinfun-spots-target-group/c21992d4a411010f",
        "containerName": "dropinfun-spots-service",
        "containerPort": 80
    }
]
}

task-definition.json

{
"family": "dropinfun-spots-task",
"executionRoleArn": "arn:aws:iam::************:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS",
"memory": "0.5GB",
"cpu": "256",
"networkMode": "awsvpc",
"requiresCompatibilities": [
  "FARGATE"
],
"containerDefinitions": [
  {
    "name": "dropinfun-spots-service",
    "image": "************.dkr.ecr.us-east-1.amazonaws.com/dropinfun-spots-service:latest",
    "memory": 512,
    "portMappings": [
        {
          "containerPort": 80
        }
      ],
    "essential": true
  }
]
}

Any idea on how to manage this linked-role error?

2
aws-cliamazon-ecsaws-fargateamazon-ecr
I got this error a different reason (adding a second target group to a service): "The service-linked role is required if your task definition uses the awsvpc network mode or if the service is configured to use service discovery, an external deployment controller, multiple target groups, or Elastic Inference accelerators in which case you should not specify a role here."Andy

2 Answers

8
votes

Since you are trying to create Fargate launch type tasks, you set the network mode to awsvpc mode in task definition (Fargate only support awsvpc mode).

In your ecs-service.json, I can see that it has "role": "AWSServiceRoleForECS". It seems that you are trying to assign a service role for this service. AWS does not allow you to specify an IAM role for services that require a service linked role.

If you assigned the service IAM role because you want to use a load balancer, you can remove it. Because task definition that use awsvpc network mode use service-linked role, which is created for you automatically[1].

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using-service-linked-roles.html#create-service-linked-role

1
votes

Instead of specifying "role": "AWSServiceRoleForECS"

you can specify taskRoleArn in addition to executionRoleArn if you want to assign a specific role to your service (container). It will be useful if you want your container to access other AWS services on your behalf.

task-definition.json

{
"family": "dropinfun-spots-task",
"executionRoleArn": "arn:aws:iam::************:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS",
"taskRoleArn" : "here_you_can_define_arn_of_a_specific_iam_role"
"memory": "0.5GB",
"cpu": "256",
"networkMode": "awsvpc",
"requiresCompatibilities": [
  "FARGATE"
],
"containerDefinitions": [
  {
    "name": "dropinfun-spots-service",
    "image": "************.dkr.ecr.us-east-1.amazonaws.com/dropinfun-spots-service:latest",
    "memory": 512,
    "portMappings": [
        {
          "containerPort": 80
        }
      ],
    "essential": true
  }
]
}

off-note: It is very bad practice to post aws account_id :"{