'Why do I get an error about executionRoleArn not being specified when it's clearly specified in the file?
When trying to deploy my multi-docker application through beanstalk with a dockerrun.aws.json file, where it has secrets, I get an error that I have to specify an executionRoleArn. When I'm looking at the file, it IS defined.
I tried moving it to different spot inside the file, tried to define taskRoleArn too, nothing really works. I couldn't find any hints that it wasn't supported in the aws documentation. I followed this page : https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html
This is my dockerrun.aws.json file partially redacted.
{
"AWSEBDockerrunVersion": 2,
"executionRoleArn": "arn:aws:iam::ACCOUNT_ID:role/ecsTaskExecutionRole",
"containerDefinitions": [{
...
"secrets": [
{
"name" : "SOME_ENV",
"valueFrom" : "arn:aws:ssm:REGION:ACCOUNT_ID:parameter/MY_SECRET"
},
...
],
...
}],
"volumes": [
....
]
}
This is the exact error I'm getting while using eb deploy
:
ERROR Service:AmazonECS, Code:ClientException, Message:When you
are specifying container secrets, you must also specify a value
for 'executionRoleArn'.,
Class:com.amazonaws.services.ecs.model.ClientException
Solution 1:[1]
At this moment of this post AWS doesn't support EBS with ECS with ecsTaskExecutionRole
. The workaround is to have a bash script loaded at login which fetches the env variables from KMS
Solution 2:[2]
Here is what I can tell you:
- there are posts on GitHub which indicate that the AWS API responds with the error message you provided, if no Secrets are defined. [1]
- the secrets key is relatively new, so it might be unsupported by your version of the eb cli
Could you please check whether you are using the latest version of the eb cli?
References
[1] https://github.com/aws/aws-sdk-go/issues/2370#issuecomment-449780818
Solution 3:[3]
As of May 2022, this is what you need to do:
Ensure you have defined
ecsTaskExecutionRole
(follow these steps to check and add if it doesn't exist: https://docs.aws.amazon.com/AmazonECS/latest/userguide/task_execution_IAM_role.htmlAdd required permissions to access AWS Systems Manager: https://docs.aws.amazon.com/AmazonECS/latest/userguide/specifying-sensitive-data-parameters.html OR Secrets Manager: https://docs.aws.amazon.com/AmazonECS/latest/userguide/private-auth.html#private-auth-iam (TIP: I used
Resource: "*"
in the permissions JSON to allow access to all variables instead of adding each one individually as given in the guides)
Once you add the above, go back to your Task Definition and ensure ecsTaskExecutionRole
is set for the Task (right now it needs to be set in a couple of places right below one another!).
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | Lorac |
Solution 2 | Martin Löper |
Solution 3 | Sarang |