ECS CLI - You cannot specify an IAM role for services that require a service linked role

aws-cli amazon-ecs aws-fargate amazon-ecr
Juan Pablo García picture Juan Pablo García · May 25, 2018 · Viewed 8.4k times · Source

I'm trying to deploy a container to ECS (Fargate) via aws cli. I'm able to create the task definition successfully, the problem comes when I want to add a new service to my Fargate cluster.

This is the command a execute:

aws ecs create-service --cli-input-json file://aws_manual_cfn/ecs-service.json

This is the error that I'm getting:

An error occurred (InvalidParameterException) when calling the CreateService operation: You cannot specify an IAM role for services that require a service linked role.`

ecs-service.json

{
"cluster": "my-fargate-cluster",
"role": "AWSServiceRoleForECS",
"serviceName": "dropinfun-spots",
"desiredCount": 1,
"launchType": "FARGATE",
"networkConfiguration": {
    "awsvpcConfiguration": {
        "assignPublicIp": "ENABLED",
        "securityGroups": ["sg-06d506f7e444f2faa"],
        "subnets": ["subnet-c8ffcbf7", "subnet-1c7b6078", "subnet-d47f7efb", "subnet-e704cfad", "subnet-deeb43d1", "subnet-b59097e8"]
     }
},
"taskDefinition": "dropinfun-spots-task",
"loadBalancers": [
    {
        "targetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:************:targetgroup/dropinfun-spots-target-group/c21992d4a411010f",
        "containerName": "dropinfun-spots-service",
        "containerPort": 80
    }
]
}

task-definition.json

{
"family": "dropinfun-spots-task",
"executionRoleArn": "arn:aws:iam::************:role/aws-service-role/ecs.amazonaws.com/AWSServiceRoleForECS",
"memory": "0.5GB",
"cpu": "256",
"networkMode": "awsvpc",
"requiresCompatibilities": [
  "FARGATE"
],
"containerDefinitions": [
  {
    "name": "dropinfun-spots-service",
    "image": "************.dkr.ecr.us-east-1.amazonaws.com/dropinfun-spots-service:latest",
    "memory": 512,
    "portMappings": [
        {
          "containerPort": 80
        }
      ],
    "essential": true
  }
]
}

Any idea on how to manage this linked-role error?

Answer

Veck Hsiao picture Veck Hsiao · May 28, 2018

Since you are trying to create Fargate launch type tasks, you set the network mode to awsvpc mode in task definition (Fargate only support awsvpc mode).

In your ecs-service.json, I can see that it has "role": "AWSServiceRoleForECS". It seems that you are trying to assign a service role for this service. AWS does not allow you to specify an IAM role for services that require a service linked role.

If you assigned the service IAM role because you want to use a load balancer, you can remove it. Because task definition that use awsvpc network mode use service-linked role, which is created for you automatically[1].

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using-service-linked-roles.html#create-service-linked-role

Related questions

AWS ECS Error when running task: No Container Instances were found in your cluster

Im trying to deploy a docker container image to AWS using ECS, but the EC2 instance is not being created. I have scoured the internet looking for an explanation as to why I'm receiving the following error: "A client error (…

Read More
How to run AWS ECS Task overriding environment variables

To override environment variables via CLI we may use --overrides (structure) according to AWS ECS Commandline Reference. How to pass name value pairs (structure or JSON) in command line? [ { "name" : "NAME", "value" : "123" }, { "name" : "DATE", "value" : "1234-12-12" }, { "name" : "SCRIPT", "value" : "123456" } ] …

Read More
AWS CLI S3 A client error (403) occurred when calling the HeadObject operation: Forbidden

I'm trying to setup a Amazon Linux AMI(ami-f0091d91) and have a script that runs a copy command to copy from a S3 bucket. aws --debug s3 cp s3://aws-codedeploy-us-west-2/latest/codedeploy-agent.noarch.rpm . This script works perfectly on …

Read More