'aws iam role succesfully created but unvailable

I am trying to create an IAM ecsInstanceRole for an ECS cluster with container instances. I am hitting a brick wall as follows:

  • I created a IAM role named ecsInstanceRole.

  • The trust relationship is:

    {

  "Version": "2008-10-17",

  "Statement": [

      {

          "Sid": "",

          "Effect": "Allow",

          "Principal": {

              "Service": "ec2.amazonaws.com"

          },

          "Action": "sts:AssumeRole"

      }

  ]

}

  • The attached policy is the AWS managed AmazonEC2ContainerServiceforEC2Role.

I think that everything was done by the book. Yet, when I try to attach the IAM role in the Create Cluster, the above role does not appear as an option. Same happens when i just try to create a simple EC2 instance. Role does not appear. Should I not be able to see the role since the trusted entity is ec2.amazonaws.com.

Please help. This is really driving me nuts.

Thanks.

Theodoros

amazon-iamamazon-ecs


Solution 1:[1]

you have created iam role for EC2 instance rather than for ECS service and hence you are not able to lookup the role while creating the ECS cluster.

you need to create role for ECS service & choose "EC2 Role for Elastic Container Service", that will have following in-line policy which provides required permissions to EC2 instances in ECS to access ECS

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeTags", "ecs:CreateCluster", "ecs:DeregisterContainerInstance", "ecs:DiscoverPollEndpoint", "ecs:Poll", "ecs:RegisterContainerInstance", "ecs:StartTelemetrySession", "ecs:UpdateContainerInstancesState", "ecs:Submit*", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] }

After that you need to add the trust relationship for the above role as mentioned in the following documentation. https://docs.amazonaws.cn/en_us/AmazonECS/latest/developerguide/instance_IAM_role.html

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function