@shinyaz

ECS Managed Instances daemons require a dedicated IAM policy

1 min read
#aws#ecs#managed-instances#iam

While verifying ECS Managed Daemons, daemon tasks refused to start — instances stuck in REGISTERING, no log streams created, and the circuit breaker returned ROLLBACK_SUCCESSFUL. App tasks worked fine without daemons.

The culprit was the instance profile policy. I had attached AmazonEC2ContainerServiceforEC2Role (the legacy EC2 launch type policy), but Managed Instances requires the dedicated AmazonECSInstanceRolePolicyForManagedInstances. This was one of the issues — the correct policy is a prerequisite for daemons to start.

Terminal
# ❌ Daemons won't start with this
aws iam attach-role-policy --role-name ecsInstanceRole \
  --policy-arn arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role
 
# ✅ Dedicated Managed Instances policy
aws iam attach-role-policy --role-name ecsInstanceRole \
  --policy-arn arn:aws:iam::aws:policy/AmazonECSInstanceRolePolicyForManagedInstances

It's documented in the instance profile guide, but if you have existing ECS experience, you'll instinctively reach for the legacy policy.

Share this post

Shinya Tahara

Shinya Tahara

Solutions Architect @ AWS

I'm a Solutions Architect at AWS, providing technical guidance primarily to financial industry customers. I share learnings about cloud architecture and AI/ML on this site.The views and opinions expressed on this site are my own and do not represent the official positions of my employer.

Read more