-
Notifications
You must be signed in to change notification settings - Fork 318
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ECS] [BUG]: Create Service Fails Using Multiple TG and Role Specified #461
Comments
Duplicate of https://github.com/aws/containers-roadmap/issues/12#issuecomment-516908024# And Customized service role is not equal to Service Linked Role(SLR). It says: As having services with multiple target group is relatively new feature, Documentation should be updated to reflect that SLR is only way for multiple target groups, and custom role should be only used with single target group only. |
@rohanmangal if that's just the way it works, that's less than ideal but fine. It's just odd to me that AWS would prevent people from being explicit with the error that @nataizya-s put above since that error also appears if you try to specify the default role of |
SLR is preferred way to use as it provides better service role management for both ECS user and ECS itself. e.g. ECS won't be able to manage customer resources if customize service role is deleted or misconfigured. ECS is enforcing this requirement for new features. For backward compatibility, customized service role is still supported for single target group, but suggest to remove the customized service role and default to use SLR. |
I completely understand that SLR is required and why it is required from those docs, that is not the issue. The question of this issue is why ECS does not allow users to be explicit and specify that they want to use the SLR and instead forces users to depend on the default behavior working as they expect since that is not a good practice for users to follow. |
@vs-jawad Good question, if I understand correct, you expect |
Yes, that is correct. Right now, trying to create a service specifying that role fails with the error message @nataizya-s (an AWS support agent) documented above. At a minimum, there should be a better error message for that scenario. The preferred outcome however would be that the call does not fail when you are explicit and specify the SLR. |
Same issue. Running two target groups with an ECS services. Neither task is running |
Specifying the Role when creating a service with 2 target groups fails:
$ aws ecs create-service --cluster test --service-name test --task-definition nginx:1 --load-balancers '[{ "targetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789:targetgroup/test1/8717e8583778e6c1", "containerName":"nginx", "containerPort": 80 }, { "targetGroupArn": "arn:aws:elasticloadbalancing:us-east-1:123456789:targetgroup/test2/f003525972e6665a", "containerName": "nginx", "containerPort":80 } ]' --desired-count 1 --role ECS
Tested this with both the CLI and with CloudFormation as described in the docs https://aws.amazon.com/about-aws/whats-new/2019/07/amazon-ecs-services-now-support-multiple-load-balancer-target-groups/.
When the second target group is removed, it works as expected and the service is created successfully.
Why is it that the role is not recognized as a service linked role?
The text was updated successfully, but these errors were encountered: