Open lukehoban opened 1 year ago
The trust relationship is set when creating the role, so this shouldn't be caused by a missing dependency.
I think that this is caused by eventual consistency. IAM has a single global control plane in us-east-1 for the commercial partition, changes usually propagate within ~2 seconds to the other regions. So there's a chance that the role wasn't yet propagated into the target region by the time ECS tried to launch the task. We could fix this by adding a small create delay so that ECS doesn't end up in the 30s retry timeout.
In the last few
awsx.ecs.FargateService
s I've created, I've seen this in the ECS Service event log:I don't recall ever seeing this with the classic AWSX provider. Is it possible we are not making the Service dependent on a policy being attached to the service role, such that the first attempt to do this fails? It appears this causes it to wait an additional 30s to retry, which materially increases the time to ready for the end to end deployment (4m21s vs. presumably 3m51s without this).