amazon-web-servicesamazon-elastic-beanstalkamazon-ecs

Why do I get an error about executionRoleArn not being specified when it's clearly specified in the file?


When trying to deploy my multi-docker application through beanstalk with a dockerrun.aws.json file, where it has secrets, I get an error that I have to specify an executionRoleArn. When I'm looking at the file, it IS defined.

I tried moving it to different spot inside the file, tried to define taskRoleArn too, nothing really works. I couldn't find any hints that it wasn't supported in the aws documentation. I followed this page : https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html

This is my dockerrun.aws.json file partially redacted.

{
    "AWSEBDockerrunVersion": 2,
    "executionRoleArn": "arn:aws:iam::ACCOUNT_ID:role/ecsTaskExecutionRole",
    "containerDefinitions": [{
        ...
        "secrets": [
            {
                "name" : "SOME_ENV",
                "valueFrom" : "arn:aws:ssm:REGION:ACCOUNT_ID:parameter/MY_SECRET" 
            },
        ...
        ],
        ...
     }],
     "volumes": [
       ....
      ]
}

This is the exact error I'm getting while using eb deploy:

ERROR   Service:AmazonECS, Code:ClientException, Message:When you 
are specifying container secrets, you must also specify a value 
for 'executionRoleArn'., 
Class:com.amazonaws.services.ecs.model.ClientException

enter image description here


Solution

  • At this moment of this post AWS doesn't support EBS with ECS with ecsTaskExecutionRole. The workaround is to have a bash script loaded at login which fetches the env variables from KMS