How can I configure an execution role for a job definition in aws batch?

Question

I'm trying to create a job definition via the aws batch UI, and when I try to set an execution role I get the following message:

There are no execution roles available at this time.

I followed the documentation and created an IAM role called ecsTaskExecutionRole, which has the following trusted entities:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

and added the AmazonECSTaskExecutionRolePolicy policy, which is defined like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

However, I keep getting the messsage in the UI saying that there are no execution roles available.

Any help would be much appreciated.

Answer 1

Your trust policy is incorrect. You created a trust policy that can be used by EC2 instances, not by AWS Batch. As documented, the trust policy should be:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}