AWS ECS Service Definition: Role property

Question

I am setting up an AWS ECS Service using cloudformation and yaml syntax.

At some point, in the relevant documentation there is a property called Role whose definitions is the following:

Role

The name or ARN of an AWS Identity and Access Management (IAM) role that allows your Amazon ECS container agent to make calls to your load balancer.

Note In some cases, you might need to add a dependency on the service role's policy. For more information, see IAM role policy in DependsOn Attribute. Required: No Type: String Update requires: Replacement

Since I intend to place the specific service behind an Application Load Balancer, is this property needed?

If so, do I need to create a new policy or are there any pre-defined policies that can serve this purpose?

Would it be enough if I just added the role/policy on the EC2 container instance level (e.g. append it in the relevant template that creates the ECS cluster offered by amazon?)

I would really appreciate any examples or use cases if any because the documentation is vague and incomplete on the topic.

Answer 1

You need the Role attribute if you want to use the Application Load balancer with your ECS service. As per the description the role allows your ECS service agent to connect to load balancer. If you are not using load balancer then, the field is optional.

Also setting the role on EC2 instance level is not needed. Since there are some policies which are related to ECS services, adding it at instance level role is not valid.

Please find below AWS managed polices to create the role:

{
"AttachedPolicies": [
    {
        "PolicyArn": "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceAutoscaleRole",
        "PolicyName": "AmazonEC2ContainerServiceAutoscaleRole"
    },
    {
        "PolicyArn": "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role",
        "PolicyName": "AmazonEC2ContainerServiceforEC2Role"
    },
    {
        "PolicyArn": "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole",
        "PolicyName": "AmazonEC2ContainerServiceRole"
    }
 ]
}

Trust relationship:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Answer 2

To register your service with application load balancer you need the role for the service itself, but some permission needs for ECS container to register with cluster.

Amazon Elastic Container Service uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to Amazon ECS. Service-linked roles are predefined by Amazon ECS and include all the permissions that the service requires to call other AWS services on your behalf.

A service-linked role makes setting up Amazon ECS easier because you don’t have to manually add the necessary permissions. Amazon ECS defines the permissions of its service-linked roles, and unless defined otherwise, only Amazon ECS can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.

So if you check this role this contain property

"elasticloadbalancing:RegisterInstancesWithLoadBalancer",

To Debug remove the role to service , it will not register.

If you create service using console by default it attach the role.

Amazon ECS needs permissions to register and deregister container instances with your load balancer when tasks are created and stopped.

In most cases, the Amazon ECS service role is automatically created for you in the Amazon ECS console first run experience. You can use the following procedure to check and see if your account already has an Amazon ECS service role.

This managed polici by AWS having ARN

arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole
Policy ARN

arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole Description Default policy for Amazon ECS service role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:Describe*",
                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                "elasticloadbalancing:DeregisterTargets",
                "elasticloadbalancing:Describe*",
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "elasticloadbalancing:RegisterTargets"
            ],
            "Resource": "*"
        }
    ]
}

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/check-service-role.html

this is how its look like

If you do not assign a role to ECS container instance it will never show in you ECS cluster and it will throw an error

2018-09-06T15:26:22Z [ERROR] Could not register: NoCredentialProviders: no valid providers in chain. Deprecated.
    For verbose messaging see aws.Config.CredentialsChainVerboseErrors

under /var/logs/ecs

tail -f ecs-agent.log.2018-09-06

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using-service-linked-roles.html