ECS unable to assume role
Asked Answered
T

5

77

From the console, I am invoking a lambda which submits a batch job. The batch job fails, indicating that ECS is unable to assume the role that is provided to execute the job definition.

For the role, I've added the lambda and ECS services.

The error message:

"ECS was unable to assume the role 'arn:aws:iam::749340585813:role/golfnow-invoke-write-progress' that was provided for this task. Please verify that the role being passed has the proper trust relationship and permissions and that your IAM user has permissions to pass this role."

"TrainingJobRole": {
  "Type": "AWS::IAM::Role",
  "Properties": {
    "RoleName": "golfnow-invoke-write-progress",
    "AssumeRolePolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": [
              "lambda.amazonaws.com",
              "ecs.amazonaws.com"
            ]
          },
          "Action": [
            "sts:AssumeRole"
          ]
        }
      ]
    },
    "Path": "/"
  }
}

The batch job:

    "TrainingJob": {
  "Type": "AWS::Batch::JobDefinition",
  "Properties": {
    "Type": "container",
    "JobDefinitionName": {
      "Fn::Sub": "c12e-golfnow-${Environment}-job"
    },
    "ContainerProperties": {
      "Image": {
        "Fn::Join": [
          "",
          [
            "{{ image omitted }}",
            {
              "Ref": "AWS::Region"
            },
            ".amazonaws.com/amazonlinux:latest"
          ]
        ]
      },
      "Vcpus": 2,
      "Memory": 2000,
      "Command": [
        "while", "True", ";", "do", "echo", "'hello';", "done"
      ],
      "JobRoleArn": {
        "Fn::GetAtt": [
          "TrainingJobRole",
          "Arn"
        ]
      }
    },
    "RetryStrategy": {
      "Attempts": 1
    }
  }
},
"JobQueue": {
  "Type": "AWS::Batch::JobQueue",
  "Properties": {
    "Priority": 1,
    "ComputeEnvironmentOrder": [
      {
        "Order": 1,
        "ComputeEnvironment": {
          "Ref": "ComputeEnvironment"
        }
      }
    ]
  }
}

Is the issue with the way it's being invoked? My user has admin privileges, so I don't think this is an issue with my user having insufficient permissions.

Tertian answered 26/2, 2018 at 21:33 Comment(0)
T
106

You have to add the principal "ecs-tasks.amazonaws.com" to the trust policy for the role that's submitting a Batch job (not "ecs.amazonaws.com").

Revised role:

"TrainingJobRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "RoleName": "golfnow-invoke-write-progress",
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "lambda.amazonaws.com",
                  "ecs-tasks.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "Path": "/"
      }
    },
Tertian answered 27/2, 2018 at 19:32 Comment(5)
All documentations (including official AWS docs) I've found was referring to add ecs.amazonaws.com to the trust policy but not ecs-tasks.amazonaws.com. This answer helped me to fix the issue with the missing principal.Basilicata
@balas, I agree. Once I looked at Trust Relationships of a working ECS role in the console I noticed that that the entity listed is ecs-tasks.amazonaws.com (unfortunately I only noticed it after I found this question)Merlinmerlina
Note that ecs-tasks.amazonaws.com seems to be the required service regardless of whether you're working with batch jobs etc or not.Gregoire
In my case, the problem was happening because the path was configured with other value than "Path": "/"Rhodie
You can actually find the official documentation for this here : github.com/awsdocs/amazon-ecs-developer-guide/blob/master/…Lamebrain
D
2

And for those who are writing CDK script in Java, while defining the TaskDefinition you don't have to explicitly provide any taskRole and executionRole. CDK will create appropriate Role for you.

Drift answered 16/10, 2020 at 9:9 Comment(0)
C
1

You would need to add a trust policy to ECS to call the Batch service.

   "Principal": {
      "Service":  [
            "batch.amazonaws.com"
      ]
    },
Caveator answered 27/2, 2018 at 0:41 Comment(0)
M
0

My issue was resolved by adding role name in the CDK script.

 const ecsFargateServiceRole = new iam.Role(this, 'execution-role', {
  assumedBy: new iam.ServicePrincipal('ecs-tasks.amazonaws.com'),
  roleName: "execution-role"
});
ecsFargateServiceRole.addToPolicy(executionRolePolicy);
Medical answered 29/1, 2022 at 13:7 Comment(3)
As mentioned by @horizon7, you shouldn't need to specify an IAM role unless you need to add additional policies to it.Mc
@ASimpleProgrammer he mentioned if using JAVA. The above code is of JavaScript.Medical
SDKs are pretty much the same across languages. You don't need to specify this bit roleName: "execution-role"Mc
I
0

i got a similar issue, but it's python. and the solution here seems not working. pls check and help, aws lambda function can't update ecs service

Insulator answered 30/5, 2023 at 4:7 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.