Using Terraform, ecs service creation fails when using a configured IAM policy.
Error applying plan:
1 error(s) occurred:
* aws_ecs_service.beatthemarket_service: InvalidParameterException: Unable to assume role and validate the listeners configured on your load balancer. Please verify the role being passed has the proper permissions.
status code: 400, request id: ba3a3fb8-0972-11e6-a877-954fd57ba1a9
This seems to correspond with this issue.
But I can’t seem to fix it, even after adding a policy. I also don't think this is a timing issue, as the role already exists , after trying to terraform apply several times.
So far I just have an IAM role, policy, an ELB, and ECS cluster, service and task definition. Do I need anything else, like an Autoscaling group, Launch configuration, Instance profile or Security group?
Is there anything obvious missing, that explains why the service can't accept the role I've configured? The role seems to have all the correct permissions.
resource "aws_iam_role_policy" "beatthemarket" {
name = "beatthemarket"
role = "${aws_iam_role.beatthemarket.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:*",
"ecs:*",
"iam:*",
"elasticloadbalancing:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
EOF
}
Best Answer
Turns out I needed to set the service to ecs.amazonaws.com and not ec2.amazonaws.com in my aws_iam_role. I'd tried this before, but didn't specify sufficient in the aws_iam_role_policy . It's very much like this issue on the AWS forums.
For future referencing, hope this helps someone.