Error registering: NoCredentialProviders: no valid providers in chain ECS agent error

Question

Im trying to use EC2 Container service. Im using terraform for creating it. I have defined a ecs cluster, autoscaling group, launch configuration. All seems to work. Except one thing. The ec2 instances are creating, but they are not register in the cluster, cluster just says no instances available.

In ecs agent log on created instance i found logs flooded with one error:

Error registering: NoCredentialProviders: no valid providers in chain

The ec2 instances are created with a proper role ecs_role. This role has two policies, one of them is following, like docs required:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:CreateCluster",
        "ecs:DeregisterContainerInstance",
        "ecs:DiscoverPollEndpoint",
        "ecs:Poll",
        "ecs:RegisterContainerInstance",
        "ecs:StartTelemetrySession",
        "ecs:Submit*",
        "ecs:StartTask"
      ],
      "Resource": "*"
    }
  ]
}

Im using ami ami-6ff4bd05 . Latest terraform.

Answer 1

It was a problem with trust relationships in the role as the role should include ec2. Unfortunately the error message was not all that helpful.

Example of trust relationship:

{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": ["ecs.amazonaws.com", "ec2.amazonaws.com"]
      },
      "Effect": "Allow"
    }
  ]
}

Answer 2

Make sure you select the correct ECS role in the launch configuration.

Answer 3

您可能希望将 AmazonEC2RoleforSSM（或 AmazonSSMFullAccess）添加到您的 EC2 角色。

Answer 4

显然，当传递无效的 aws-profile 时，也会出现此错误消息。

Answer 5

I spent 2 days trying out everything without any luck. I have a standard setup ie ecs cluster instance in private subnet, ELB in public subnet, NAT and IGW properly set up in respective security groups, IAM role properly defined, standard config in NACL, etc. Despite everything the ec2 instances wouldnt register with the ecs cluster. Finally I figured out that my custom VPC's DHCP Options Set was configured for 'domain-name-servers: xx.xx.xx.xx, xx.xx.xx.xx' IP address of my org's internal DNS IPs...

The solution is to have following values for the DHCP Options Set: Domain Name: us-west-2.compute.internal (assuming your vpc is in us-west-2), Options: domain-name: us-west-2.compute.internal domain-name-servers: AmazonProvidedDNS

Answer 6

如果您使用 taskDefinition ，请检查您是否设置了执行和 taskRole ARN 并为该角色设置了正确的策略。

Answer 7

I got this error today and figured out the problem: I missed setting the IAM role in launch template (it is under Advanced section). You need to set it to ecsInstanceRole (this is the default name AWS gives - so check if you have changed it and use accordingly).

I had switched from Launch Configuration to Launch Template, and while setting up the Launch Template, I missed adding the role!