Why do I get an error about executionRoleArn not being specified when it's clearly specified in the file?

Asked 8/7, 2019 at 14:29 Answered 6/8 at 21:0

Solved amazon-web-services amazon-elastic-beanstalk amazon-ecs

When trying to deploy my multi-docker application through beanstalk with a dockerrun.aws.json file, where it has secrets, I get an error that I have to specify an executionRoleArn. When I'm looking at the file, it IS defined.

I tried moving it to different spot inside the file, tried to define taskRoleArn too, nothing really works. I couldn't find any hints that it wasn't supported in the aws documentation. I followed this page : https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html

This is my dockerrun.aws.json file partially redacted.

{
    "AWSEBDockerrunVersion": 2,
    "executionRoleArn": "arn:aws:iam::ACCOUNT_ID:role/ecsTaskExecutionRole",
    "containerDefinitions": [{
        ...
        "secrets": [
            {
                "name" : "SOME_ENV",
                "valueFrom" : "arn:aws:ssm:REGION:ACCOUNT_ID:parameter/MY_SECRET" 
            },
        ...
        ],
        ...
     }],
     "volumes": [
       ....
      ]
}

This is the exact error I'm getting while using eb deploy:

ERROR   Service:AmazonECS, Code:ClientException, Message:When you 
are specifying container secrets, you must also specify a value 
for 'executionRoleArn'., 
Class:com.amazonaws.services.ecs.model.ClientException

Rosales answered 8/7, 2019 at 14:29 Comment(1)

So... have you solved this? – Hyperplane 27/9, 2019 at 21:48

At this moment of this post AWS doesn't support EBS with ECS with ecsTaskExecutionRole. The workaround is to have a bash script loaded at login which fetches the env variables from KMS

Rosales answered 3/12, 2019 at 20:35 Comment(1)

Hey do you have such a script to share? – Littoral 22/6, 2022 at 8:8

Here is what I can tell you:

there are posts on GitHub which indicate that the AWS API responds with the error message you provided, if no Secrets are defined. [1]
the secrets key is relatively new, so it might be unsupported by your version of the eb cli

Could you please check whether you are using the latest version of the eb cli?

References

[1] https://github.com/aws/aws-sdk-go/issues/2370#issuecomment-449780818

Woolard answered 12/7, 2019 at 11:19 Comment(1)

Actually, if you use EBS with ECS, than you can't use ecsTaskExecutionRole – Rosales 3/12, 2019 at 20:34

Note: this solution is for ECS Task Definition & may not be correct solution for the original problem - I learned this from comments (thanks @JoeSadoski). Leaving this solution here as people may find it useful

As of May 2022, this is what you need to do:

Ensure you have defined ecsTaskExecutionRole (follow these steps to check and add if it doesn't exist: https://docs.aws.amazon.com/AmazonECS/latest/userguide/task_execution_IAM_role.html
Add required permissions to access AWS Systems Manager: https://docs.aws.amazon.com/AmazonECS/latest/userguide/specifying-sensitive-data-parameters.html OR Secrets Manager: https://docs.aws.amazon.com/AmazonECS/latest/userguide/private-auth.html#private-auth-iam (TIP: I used Resource: "*" in the permissions JSON to allow access to all variables instead of adding each one individually as given in the guides)

Once you add the above, go back to your Task Definition and ensure ecsTaskExecutionRole is set for the Task (right now it needs to be set in a couple of places right below one another!).

Melbourne answered 3/5, 2022 at 9:49 Comment(4)

Could you perhaps post your Docker.aws.json? I'm trying to follow these steps, and it's not working for me in EB. I'm still experiencing the issue OP is experiencing. – Lapidary 1/9, 2022 at 20:31

@JoeSadoski any luck? I'm still getting OP's error. I have setup IAM and am using executionRoleArn in the top-level of Dockerrun.aws.json (version 2) and it's not being picked up. – Armitage 8/9, 2022 at 1:6

Sadly no, I think that the accepted answer for this question is correct and it's not currently supported. I think @Melbourne may have accidentally answered this question as if it were an ECS task definition, which does allow this property. My workaround was to use a platform hook to access SSM and dump it to an .env file. – Lapidary 10/9, 2022 at 1:16

I used lmX2015's answer here, with the only exception being that I used predeploy instead of prebuild, as the timing makes more sense. EB also has appdeploy, which I might end up using instead. docs.aws.amazon.com/elasticbeanstalk/latest/dg/… – Lapidary 10/9, 2022 at 1:20

If using Terraform, you just need to move the reference out of the JSON and use it as an argument in the resource. It will use snake_case instead of camelCase like in the example below.

Source: https://github.com/hashicorp/terraform-provider-aws/issues/6503#issuecomment-461995712

Example:

resource "aws_ecs_task_definition" "frontend" {
  family                   = "frontend-task"
  requires_compatibilities = ["EC2"]
  cpu                      = "256"
  memory                   = "512"
  execution_role_arn       = var.ssm_decrypt_read_role_arn

  container_definitions = jsonencode([
    {
      name      = "frontend",
      image     = "${var.frontend_ecr_repository_url}:latest",
      essential = true,
      portMappings = [
        {
          containerPort = var.frontend_container_port,
          hostPort      = 80
        }
      ],
      secrets = local.frontend_secrets_list
    }
  ])

  tags = {
    Name = "frontend-task"
  }
}

Haynes answered 6/8 at 21:0 Comment(0)

References

Recommended topics

Hot tags