How do I resolve the CloudFormation error "Unable to assume role and validate" when I launch an Amazon ECS resource?

Short description

The error for a Classic Load Balancer is similar to the following message:

"CREATE_FAILED AWS::ECS::Service ECSService Unable to assume role and validate the listeners configured on your load balancer. Please verify the role being passed has the proper permissions."

The error for an Application Load Balancer is similar to the following message:

"CREATE_FAILED AWS::ECS::Service ECSService Unable to assume role and validate the specified targetGroupArn. Please verify that the ECS service role being passed has the proper permissions."

Resolution

To resolve the error for either a Classic Load Balancer or an Application Load Balancer, apply one or more of the following solutions:

• Use either the AWS Identity and Access Management (IAM) role parameter from the Role property section of your CloudFormation template or the IAM service-linked role for ECS. Then, confirm that the IAM service-linked role has the correct permissions.
  Tip: You can use a CloudFormation template to build your ECS architecture components with the appropriate dependencies. The architecture components include an ECS cluster, a service, load balancers, container instances, and IAM resources.
• Confirm that the TargetGroupArn property is the full ARN of the Elastic Load Balancing target group.
  Note: You specify a target group ARN when you set up an Application Load Balancer or Network Load Balancer.
• Confirm that your Amazon EC2 Auto Scaling group or ECS container instance has an instance profile that's associated as an attribute.
• Use the DependsOn attribute to specify the dependency for ECS, Application Load Balancer resources, and IAM resources. You can also see the CloudFormation template for reference. Or, use a custom resource to delay the stack creation process and give service role permissions time to propagate.