I get an error message when I use AWS CloudFormation to launch an Amazon Elastic Container Service (Amazon ECS) resource (AWS::ECS::Service).
If I'm using a Classic Load Balancer, I get an error message similar to this:
"12:21:48 UTC+0100 CREATE_FAILED AWS::ECS::Service ECSService Unable to assume role and validate the listeners configured on your load balancer. Please verify the role being passed has the proper permissions."
If I'm using an Application Load Balancer, I get an error message similar to this:
"12:21:48 UTC+0100 CREATE_FAILED AWS::ECS::Service ECSService Unable to assume role and validate the specified targetGroupArn. Please verify that the ECS service role being passed has the proper permissions."
If you create an Amazon ECS service with an independent AWS Identity and Access Management (IAM) policy resource that specifies an instance profile, the Amazon ECS service can fail and return an error message.
To resolve the error for both Classic Load Balancers and Application Load Balancers, try one or more of the following solutions:
- Confirm that the IAM role for the Amazon ECS service has the right permissions to register and deregister container instances with your load balancers.
Tip: You can use this AWS CloudFormation template as a reference to build out your Amazon ECS architecture components with the right dependencies. The architecture components include an Amazon ECS cluster, service, load balancers, container instances, and IAM resources.
- Confirm that your AWS Auto Scaling group or Amazon ECS container instance has an instance profile associated as an attribute.
- Use the DependsOn attribute to specify the dependency of the AWS::ECS::Service resource on AWS::IAM::Policy. Or, use a custom resource to delay the stack creation process and give service role permissions time to propagate.