@shinyaz

ECS NLB infra role policy ARN has no service-role/ prefix

1 min read
#aws#ecs#iam

Tried attaching AmazonECSInfrastructureRolePolicyForLoadBalancers to an ECS infra role using the same ARN pattern as other ECS policies. It failed.

Terminal
# ❌ This fails
aws iam attach-role-policy --role-name myRole \
  --policy-arn arn:aws:iam::aws:policy/service-role/AmazonECSInfrastructureRolePolicyForLoadBalancers
Output
An error occurred (NoSuchEntity) when calling the AttachRolePolicy operation: Policy ... does not exist or is not attachable.

The correct ARN has no service-role/ prefix.

Terminal
# ✅ Correct
aws iam attach-role-policy --role-name myRole \
  --policy-arn arn:aws:iam::aws:policy/AmazonECSInfrastructureRolePolicyForLoadBalancers

Easy to get wrong because AmazonECSTaskExecutionRolePolicy uses arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy. Even within the AmazonECSInfrastructureRolePolicyFor* family, ForVolumes and ForServiceConnectTransportLayerSecurity have the service-role/ prefix while ForLoadBalancers and ForVpcLattice don't. Safest to verify with aws iam list-policies --scope AWS --query "Policies[?starts_with(PolicyName,'AmazonECS')].[PolicyName,Arn]".

Share this post

Shinya Tahara

Shinya Tahara

Solutions Architect @ AWS

I'm a Solutions Architect at AWS, providing technical guidance primarily to financial industry customers. I share learnings about cloud architecture and AI/ML on this site.The views and opinions expressed on this site are my own and do not represent the official positions of my employer.

Read more