Why do I get an error about executionRoleArn not being specified when it's clearly specified in the file?

Question

When trying to deploy my multi-docker application through beanstalk with a dockerrun.aws.json file, where it has secrets, I get an error that I have to specify an executionRoleArn. When I'm looking at the file, it IS defined.

I tried moving it to different spot inside the file, tried to define taskRoleArn too, nothing really works. I couldn't find any hints that it wasn't supported in the aws documentation. I followed this page : https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html

This is my dockerrun.aws.json file partially redacted.

{
    "AWSEBDockerrunVersion": 2,
    "executionRoleArn": "arn:aws:iam::ACCOUNT_ID:role/ecsTaskExecutionRole",
    "containerDefinitions": [{
        ...
        "secrets": [
            {
                "name" : "SOME_ENV",
                "valueFrom" : "arn:aws:ssm:REGION:ACCOUNT_ID:parameter/MY_SECRET" 
            },
        ...
        ],
        ...
     }],
     "volumes": [
       ....
      ]
}

This is the exact error I'm getting while using eb deploy:

ERROR   Service:AmazonECS, Code:ClientException, Message:When you 
are specifying container secrets, you must also specify a value 
for 'executionRoleArn'., 
Class:com.amazonaws.services.ecs.model.ClientException

Answer 1

At this moment of this post AWS doesn't support EBS with ECS with ecsTaskExecutionRole. The workaround is to have a bash script loaded at login which fetches the env variables from KMS

Answer 2

Here is what I can tell you:

• there are posts on GitHub which indicate that the AWS API responds with the error message you provided, if no Secrets are defined. [1]
• the secrets key is relatively new, so it might be unsupported by your version of the eb cli

Could you please check whether you are using the latest version of the eb cli?

References

[1] https://github.com/aws/aws-sdk-go/issues/2370#issuecomment-449780818

Answer 3

As of May 2022, this is what you need to do:

1. Ensure you have defined ecsTaskExecutionRole (follow these steps to check and add if it doesn't exist: https://docs.aws.amazon.com/AmazonECS/latest/userguide/task_execution_IAM_role.html

2. Add required permissions to access AWS Systems Manager: https://docs.aws.amazon.com/AmazonECS/latest/userguide/specifying-sensitive-data-parameters.html OR Secrets Manager: https://docs.aws.amazon.com/AmazonECS/latest/userguide/private-auth.html#private-auth-iam (TIP: I used Resource: "*" in the permissions JSON to allow access to all variables instead of adding each one individually as given in the guides)

Once you add the above, go back to your Task Definition and ensure ecsTaskExecutionRole is set for the Task (right now it needs to be set in a couple of places right below one another!).