When I use AWS CloudFormation to launch an Amazon ECS service resource (AWS::ECS::Service), I get this error message:

12:21:48 UTC+0100    CREATE_FAILED    AWS::ECS::Service    ECSService Unable to assume role and validate the listeners configured on your load balancer. Please verify the role being passed has the proper permissions.

 

Creating an ECS service while using an independent IAM policy resource that specifies an instance profile can cause the ECS service to fail.

This error can occur for one or more of these reasons:

  • The policy associated with the ECS service role lacks sufficient permissions to execute the operation.
  • If you are using a CloudFormation template to create a ECS service via the “AWS::IAM::Policy” and “AWS::ECS::Service” resource types, the dependency of the service on the policy has not been declared by using the DependsOn attribute. Because CloudFormation creates, updates, and deletes resources in parallel, creating “AWS::ECS::Service” without specifying the dependency on “AWS::IAM::Policy” can cause CloudFormation to attempt to create “AWS::ECS::Service” before the “AWS::IAM::Policy” is ready.

Consider one or more of the following solutions:

  • Check that the ECS service’s IAM role has the necessary permissions.
  • Verify the Auto Scaling group or the ECS container instance has an instance profile associated as an attribute.
  • Use a custom resource to cause delays in the stack creation process, which can give service role permissions time to propagate.

ECS, instance profile, DependsOn


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-08-09