AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I troubleshoot the "ECS was unable to assume the role" error when I run Amazon ECS tasks?

3 minute read

When I run my Amazon Elastic Container Service (Amazon ECS) or AWS Fargate tasks, I receive the error "ECS was unable to assume the role."

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

If you incorrectly configured your IAM role or trust relationship, then you might receive the following error:

"ECS was unable to assume the role 'arn:aws:iam::444455556666:role/Admin' that was provided for this task. Please verify that the role being passed has the proper trust relationship and permissions and that your IAM user has permissions to pass this role."

To resolve, verify that your task role has the correct trust policy and confirm that you use the necessary IAM permissions for the IAM role.

Check your task role permissions

Make sure that your task definition includes the correct permissions for your IAM role. To check the permissions for your task role, complete the following steps:

Open the IAM console.
In the navigation pane, choose Roles.
Select your task role for your task definition.
Run the get-role AWS CLI command to review information about your task role:
```
aws iam get-role --role-name task-execution-role
```
Note: Replace task-execution-role with the name of your IAM role for your task.

If you don't have a task role, then create a task IAM role.

Configure the trust policy for ecs-tasks.amazonaws.com

For the Amazon ECS task to assume the IAM role, configure the trust policy to allow the ecs-tasks.amazonaws.com service.

Complete the following steps:

Open the IAM console.
In the navigation pane, choose Roles.
Select your task role, and then choose Trust relationships.

Verify that the trust policy has ecs-tasks.amazonaws.com as the service.
Example policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

If you don't have ecs-tasks.amazonaws.com set as the service, then choose Edit trust policy.
Update the policy with the example policy above and then choose Update policy.
In your task definition, specify the full IAM role ARN. For example, arn:aws:iam::444455556666:role/ecsTaskRole. For more information, see Updating an Amazon ECS task definition using the console.
Ensure that the IAM user or role that launches the Amazon ECS task has iam:PassRole permission.

Related information

Troubleshoot IAM roles

Amazon ECS task execution IAM role

Troubleshooting Amazon Elastic Container Service identity and access

Topics: Containers
Tags: Amazon Elastic Container Service
Language: English

AWS OFFICIALUpdated 6 months ago

1 Comment

What if it does have ecs-tasks.amazonaws.com in trust policies, but still have this error?

User-8662193

replied a year ago

Relevant content

Unable to override taskRoleArn when running ECS task from Lambda
AWS-User-4882383
asked 4 years ago
Allow a specific ECS service to assume a role
rePost-User-9590840
asked 2 years ago
CDK ECS Unable to assume role and validate the specified targetGroupArn. Please verify that the ECS service role being passed has the proper permissions
MarkoD
asked 2 years ago
ecs service was unable to place a task because your account is currently blocked
AWS-User-7941738
asked 4 years ago
"Role is not valid" when trying to register a new ECS task definition with cross account assumed roles
BarendB
asked 2 years ago
How do I resolve the CloudFormation error "Unable to assume role and validate" when I launch an Amazon ECS resource?
AWS OFFICIALUpdated 2 years ago
How do I configure my Amazon ECS task to assume an IAM role in another AWS account?
AWS OFFICIALUpdated a month ago
How do I resolve a "ResourceInitializationError" when I try to pull secrets or retrieve Amazon ECR authentication for ECS tasks?
AWS OFFICIALUpdated a year ago
How do I resolve the error "the closest matching container-instance container-instance-id encountered error 'AGENT'" for my service in Amazon ECS?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot CloudFormation error "Error occurred during operation 'CreateCluster SDK error: Service Unavailable. Please try again later."?
SUPPORT ENGINEER
Hemanth
published a year ago