cloudformation
This f'ing error was causing me much consternation recently.
ECSService Unable to assume role and validate the listeners configured on your load balancer. Please verify the role being passed has the proper permissions.
This is the error when doing the same with terraform:
aws_ecs_service.ecs_service: InvalidParameterException: Unable to assume role and validate the specified targetGroupArn. Please verify that the ECS service role being passed has the proper permissions. status code: 400, request id: blah-blah-blah
Here's the service definition for the ECS chunk:
{
"service": {
"Type": "AWS::ECS::Service",
"DependsOn": [
"ALBListener",
"ECSAutoScalingGroup",
"ECSServiceRole",
"EcsTargetGroup",
"EC2Role",
"taskdefinition"
],
"Properties": {
"Cluster": {
"Ref": "ECSCluster"
},
"DesiredCount": "1",
"LoadBalancers": [
{
"ContainerName": "wt-api",
"ContainerPort": "8080",
"TargetGroupArn": {
"Ref": "EcsTargetGroup"
}
}
],
"Role": {
"Ref": "ECSServiceRole"
},
"TaskDefinition": {
"Ref": "taskdefinition"
}
}
}
}And here's my service role definition:
{
"ECSServiceRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ecs.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "ecs-service",
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"ec2:Describe*",
"ec2:AuthorizeSecurityGroupIngress",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer"
],
"Resource": "*"
}
]
}
}
]
}
}
}And here's my terraform chunk to do the service:
resource "aws_ecs_service" "ecs_service" {
name = "ecs_service-${var.env_name}-${var.stack_version}"
cluster = "${aws_ecs_cluster.ecs_cluster.id}"
iam_role = "${aws_iam_role.service_role.arn}"
depends_on = ["aws_iam_policy.service_policy"]
desired_count = 1
task_definition = "${aws_ecs_task_definition.app.arn}"
load_balancer {
container_name = "app_task"
container_port = 8080
target_group_arn = "${aws_alb_target_group.target-group.arn}"
}
}The IAM stuff is basically the same for the tf chunk here.
Long story short here, this is a problem when you try to reference the wrong TargetGroupArn. When I was getting the error I was actually pointing to the ALB instead of the TargetGroup. Seems obvious, but TF's string interrelation sucks in that it doesn't do embedded variables.
The error from TF and the error from CF were both equally vague and not very helpful at all. Hope this helps someone else out there.
Read More →