无法通过CloudFormation创建ECS服务

Question

我创建以下CloudFormation模板文件来创建ECS群集和TaskDefinition，Service，但出现错误。这些设置有什么问题？

1. 使用以下模板创建ECS服务时，得到 Please verify that the ECS service role being passed has the proper permissions
2. 当创建不带属性的模板时Role: !ImportValue "IAMRoleECSService"，不会发生错误，但是不能从完成CREATE_IN_PROGRESS

---

ECSApplicationService:
  Type: "AWS::ECS::Service"
  DependsOn:
    - "ECSApplicationCluster"
    - "ECSApplicationTaskDefinition"
  Properties:
    Cluster: !Ref "ECSApplicationCluster"
    DeploymentConfiguration:
      MaximumPercent: 100
      MinimumHealthyPercent: 50
    DesiredCount: 4
    LoadBalancers:
      - ContainerName: !Ref "ContainerAppName"
        ContainerPort: 80
        TargetGroupArn: !ImportValue "ALBTargetGroup"
    Role: !ImportValue "IAMRoleECSService"
    ServiceName: "ecs-application-service"
    TaskDefinition: !Ref "ECSApplicationTaskDefinition"

IAMRoleECSService:
  Type: "AWS::IAM::Role"
  Properties:
    RoleName: "ecs-service"
    AssumeRolePolicyDocument:
      Version: "2012-10-17"
      Statement:
        - Effect: "Allow"
          Principal:
            Service:
              - "ecs.amazonaws.com"
          Action:
            - "sts:AssumeRole"
    Policies:
      - PolicyName: "ec2-management"
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Action:
                - "ec2:AuthorizeSecurityGroupIngress"
                - "ec2:Describe*"
              Resource: "*"
      - PolicyName: "alb-management"
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Action:
                - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
                - "elasticloadbalancing:DeregisterTargets"
                - "elasticloadbalancing:DescribeTargetGroups"
                - "elasticloadbalancing:DescribeTargetHealth"
                - "elasticloadbalancing:Describe*"
                - "elasticloadbalancing:RegisterInstancesWithLoadBalancer"
                - "elasticloadbalancing:RegisterTargets"
              Resource: "*"

我该怎么办？

Answer 1

更新： 从2018年7月19日开始，现在可以使用CloudFormation https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-servicelinkedrole.html来创建IAM服务链接角色。

   EcsServiceLinkedRole:
    Type: "AWS::IAM::ServiceLinkedRole"
    Properties:
      AWSServiceName: "ecs.amazonaws.com"
      Description: "Role to enable Amazon ECS to manage your cluster."

旧答案： ECS现在依赖于服务链接角色而不是普通角色。确保使用以下方法为帐户创建了它：

aws iam create-service-linked-role --aws-service-name ecs.amazonaws.com

然后Role从您的参数中删除该参数，IAMRoleECSService因为它不再需要。