AWS ECS Fargate not creating task AmazonECSTaskExecutionRole error - amazon-web-services

I'm trying to launch a test task in a ECS Fargate environment from the AWS console, but every time I try to launch it, I have the error:
Execution Role Failed creation of AmazonECSTaskExecutionRole
I supposed that it was a permissions error, so I asked the account owner (I am a IAM user of another account) to give me them, and now I do but still doesn't work.
My current permissions for ECS are:
AmazonECS_FullAccess
AmazonECSTaskExecutionRolePolicy
The worst thing is that AWS doesn't give any kind of information about this error. Anyone have an idea of how to make it work?
Thank you in advance!

You need the "iam:createRole" permission.

The solution is to add the "iam:createRole" permission.
To do that add this policy to your IAM Policies:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1469200763880",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole"
],
"Effect": "Allow",
"Resource": "*"
}
]
}

I was having this same issue, it wasn't related to my permissions but rather the task setup trying to access an ECR image.
I needed to create a new IAM Role that gave ECS Task access to my ECR repo, then attach that Role to Execution Role ARN for the task definition. This fixed it for both CLI and Console creation for me.

Related

Does anyone know where this goes in the instances?

{
"Sid": "ElasticBeanstalkHealthAccess",
"Action": [
"elasticbeanstalk:PutInstanceStatistics"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:*:*:application/*",
"arn:aws:elasticbeanstalk:*:*:environment/*"
]
}
That's a part of the IAM profile for the elastic beanstalk instance.
If you choose AWSElasticBeanstalkWebTier or AWSElasticBeanstalkWorkerTier as IAM Instance profile, the ElasticBeanstalkHealthAccess permissions will be added already.
See https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/iam-instanceprofile.html
There are two IAM roles associated with an Elastic Beanstalk Environment:
Service role: used to manage the environment
Instance role: role assumed by the running application. It is used to provide access to other AWS services.
You need to find your instance role in IAM console and attach the permission that you see in the documentation. This will allow your application to send statistics.

AWS CodeDeploy does not have the permissions required to assume the role

I am trying to set up CI/CD with AWS + EC2 and am stuck when creating Deployment Group. The role of CodeDeploy has policies AWSCodeDeployRole and AWSCodeDeployRoleForECS but it throws an error. I tried giving it Admin rights but it is still not enough. Am I missing something? Thanks for any help!
You have a role that has the permissions required for the codedeploy to perform the deployment. What you are missing here is, You should have a trust policy defined in the role that allows codedeploy to assume the role.
Goto IAM console and select the role from the roles section
Click Trust relationships
Click Edit trust Relationships
Add the following trust policy to allow code deploy service to assume this role.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"codedeploy.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
Reference: Create a service role for CodeDeploy

connecting Docker to a cloud provider, Amazon AWS

Context: I was going though Link to Amazon Web Services to create Swarms, in order to connect to my provider.
The role was created with success.
Then, while creating the policy, to associate to the role, a problem happened.
Problem:
An error occurred: Cannot exceed quota for PolicySize: 5120
As suggested by them, this is what I need to add in policy:
https://docs.docker.com/docker-for-aws/iam-permissions/
Did some research and people seem to like this solution:
https://github.com/docker/machine/issues/1655
How can I create the policy using the best method?
Noticing that the documentation in Docker is wrong - doesn't work in my case - what's the best method?
You are looking at the wrong instructions to connect docker-cloud to AWS follow these instructions: https://docs.docker.com/docker-cloud/infrastructure/link-aws/
It's the following 3 steps
Create AWS Policy for docker-cloud
Create a docker-cloud role and attache the policy from 1
Attach AWS role/account to docker-cloud
The policy in (1) above is pretty simple. It should be allowed to perform ec2 instances related actions (your screenshot of the policy looks like it doesn't provide ec2 permissions):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:*",
"iam:ListInstanceProfiles"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
The role must have the permissions to implement the policy.
For a detailed post on the deployment via docker-cloud see: https://blog.geografia.com.au/how-we-are-using-docker-cloud-for-automated-testing-and-deployments-of-applications-bb87ec3173e7

OpsWorks Role to Start Instance

I am not able to start an OpsWorks instance after I have created the Instance within an OpsWorks Layer, which is part of an OpsWorks Stack. The error that I get after attempting to start the 24/7 instance is the following:
An error occurred while starting the instance java-app1
OpsWorks failed to obtain the necessary credentials to start the instance on your behalf. Please try again after waiting a minute. If this error persists, please check the permissions of the stack IAM role.
The error indicates that I don't have my permissions set correctly for the IAM Role of my Stack. I have created an OpsWorks Stack that contains a reference to a Role ARN that has the AWSOpsWorksFullAccess and AWSOpsWorksRole policies set for the Role's permissions. I would have thought one of those two policies would be enough.
I can create a OpsWorks Layer within that Stack, and create an OpsWorks instance as well. The created instance uses the DefaultInstanceProfileArn of the Stack. In my case, that ARN references a Role that contains the following policies:
AmazonEC2FullAccess
AWSOpsWorksFullAccess
AWSOpsWorksRole
AmazonS3FullAccess
I know that the policies that I have applied are very broad, but at this point I'm just trying to get an OpsWorks instance to start. What policy needs to be applied in order for OpsWorks to have the correct permissions to start an instance within my Stack?
This is a bit late :-)
I had that issue recently.
The roles that are attached are:
AmazonEC2FullAccess
AWSOpsWorksFullAccess
AWSOpsWorksCMServiceRole
This gives me create, start, stop and delete.
This confused me the most. Passing this mountant brings a lot of sights.
Open stack-setting, you will find your current IAM ROLE
Follow the document below to attach an inline policy.
https://docs.aws.amazon.com/opsworks/latest/userguide/opsworks-security-servicerole.html
If you create a custom service role, you must ensure that it grants all the permissions that AWS OpsWorks Stacks needs to manage your stack. The following JSON sample is the policy statement for the standard service role; a custom service role should include at least the following permissions in its policy statement.
{
"Version": "2008-10-17",
"Statement": [
{
"Action": [
"ec2:*",
"iam:PassRole",
"cloudwatch:GetMetricStatistics",
"cloudwatch:DescribeAlarms",
"ecs:*",
"elasticloadbalancing:*",
"rds:*"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
}
]
}
A bit late, but the easiest way to solve this if you are just trying out opsworks is to create a service role with EC2 full access.
This should allow for the creation of the stack

AWS EMR Cluster fails to launch

I am trying to launch an AWS EMR Cluster from the AWS Console, and am getting the following error:
Failed to provision ec2 instances because 'IAM Instance Profile "arn:aws:iam::553706642095:instance-profile/EMR_EC2_DefaultRole" has no associated IAM Roles
Any one know what this means and how to resolve it?
The following is the role policy:
{
"Statement": [
{
"Action": [
"cloudwatch:*",
"dynamodb:*",
"ec2:Describe*",
"elasticmapreduce:Describe*",
"rds:Describe*",
"s3:*",
"sdb:*",
"sns:*",
"sqs:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Its trust policy document is:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I finally resolved this issue. This was confusing because the instance-profile and the role use the same name by default. Full steps outline below, but you may be able to skip various steps.
Create default roles (if error, downgrade to awscli version 1.10.30)
aws emr create-default-roles
Create instance profile if it doesn't already exist:
aws iam create-instance-profile --instance-profile-name EMR_EC2_DefaultRole
Verify that instance profile exists but doesn't have any roles:
aws iam get-instance-profile --instance-profile-name EMR_EC2_DefaultRole
Add the role using:
aws iam add-role-to-instance-profile --instance-profile-name EMR_EC2_DefaultRole --role-name EMR_EC2_DefaultRole
You have only readonly permission for EMR
"elasticmapreduce:Describe*",
You need to give full access to elastic map reduce so that you can launch cluster/terminate
once you give this access role policy will look like
"elasticmapreduce:*",
I tried around and could get it to work without the tool using my own Cloudformation stack.
The key you have to have a InstanceProfile for the flow role and both flow and service role have to be provided as ARN.
That's how I got it to work for me!
Hope that helps someone else as well.
I got the same issue. Instead of giving new cluster name, i just kept the same default cluster name 'My Cluster' and clicked on 'Create cluster' again. It created without this error.