166

Im trying to deploy a docker container image to AWS using ECS, but the EC2 instance is not being created. I have scoured the internet looking for an explanation as to why I'm receiving the following error:

"A client error (InvalidParameterException) occurred when calling the RunTask operation: No Container Instances were found in your cluster."

Here are my steps:

1. Pushed a docker image FROM Ubuntu to my Amazon ECS repo.

2. Registered an ECS Task Definition:

aws ecs register-task-definition --cli-input-json file://path/to/my-task.json

3. Ran the task: 

aws ecs run-task --task-definition my-task

Yet, it fails.

Here is my task:

{
  "family": "my-task",
  "containerDefinitions": [
    {
        "environment": [],
        "name": "my-container",
        "image": "my-namespace/my-image",
        "cpu": 10,
        "memory": 500,
        "portMappings": [
            {
                "containerPort": 8080,
                "hostPort": 80
            }
        ],
        "entryPoint": [
            "java",
            "-jar",
            "my-jar.jar"
        ],
        "essential": true
    }
  ]
}

I have also tried using the management console to configure a cluster and services, yet I get the same error. How do I configure the cluster to have ec2 instances, and what kind of container instances do I need to use? I thought this whole process was to create the EC2 instances to begin with!!

Pat Myron
  • 4,437
  • 2
  • 20
  • 39
cosbor11
  • 14,709
  • 10
  • 54
  • 69
  • I feel like I saw this when I went fast in between the steps of creating a cluster and running a task. – Ben Creasy Jul 20 '18 at 07:26
  • Related: [service unable to place a task](https://stackoverflow.com/q/44169719/55075) & [terraform-ecs. Registered container instance is showing 0](https://stackoverflow.com/q/46578949/55075) – kenorb Mar 12 '19 at 22:05
  • This is the correct answer, permit VPC to reach ECR via ECR IP range or the PrivateLink https://stackoverflow.com/questions/53190853/security-group-egress-rule-to-only-permit-ecr-requests – Stof Nov 07 '22 at 22:46

13 Answers13

231

I figured this out after a few more hours of investigating. Amazon, if you are listening, you should state this somewhere in your management console when creating a cluster or adding instances to the cluster:

"Before you can add ECS instances to a cluster you must first go to the EC2 Management Console and create ecs-optimized instances with an IAM role that has the AmazonEC2ContainerServiceforEC2Role policy attached"

Here is the rigmarole:

1. Go to your EC2 Dashboard, and click the Launch Instance button.

2. Under Community AMIs, Search for ecs-optimized, and select the one that best fits your project needs. Any will work. Click next.

3. When you get to Configure Instance Details, click on the create new IAM role link and create a new role called ecsInstanceRole.

4. Attach the AmazonEC2ContainerServiceforEC2Role policy to that role.

5. Then, finish configuring your ECS Instance.
NOTE: If you are creating a web server you will want to create a securityGroup to allow access to port 80.

After a few minutes, when the instance is initialized and running you can refresh the ECS Instances tab you are trying to add instances too.

Addison
  • 7,322
  • 2
  • 39
  • 55
cosbor11
  • 14,709
  • 10
  • 54
  • 69
  • 12
    Selecting the suggested ami which was specified for the given region solved my problem. To find out the ami you should select check this url http://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_container_instance.html – sanath_p Jun 26 '16 at 05:50
  • 1
    not seeing AmazonEC2ContainerServiceforEC2Role, is there any change since your last post? – BlueDolphin Oct 23 '17 at 05:39
  • 1
    @BlueDolphin I was able to find that policy when I created a new Role in IAM. – cyrf Dec 04 '17 at 18:20
  • you just saved me, I would vote this twice if I could – Rodrigo Dec 08 '17 at 23:39
  • 7
    It's worth noting now (April 2018) if you're using the currently Beta Fargate (https://aws.amazon.com/fargate/) to _avoid_ this whole type of hassle, you might like me just have selected `EC2` as the launch type when you got this error... – declension Apr 03 '18 at 10:10
  • 15
    And, when creating EC2, don't forget to add `#!/bin/bash echo ECS_CLUSTER=your_cluster_name >> /etc/ecs/ecs.config` in `Advanced Details -> User data` if you have your own, non Default cluster. Other wise the newly created EC2 instance will create Default cluster. – Jakub Czaplicki Jul 28 '18 at 17:49
  • hi..i am facing the same problem ..my ec2 instance is not launched on creating a new cluster other then t2.micro...and then leads to same error on creatig any service on that cluster. i check that i have 'AmazonEC2ContainerServiceforEC2Role' attached to ecsinstance Role and i explicitly added this as a policy to my IAM user. BUt still the same issue. ANy Help!!! – ronit Sep 19 '18 at 15:05
  • When you copy an existing launch configuration and change its name, the `ecsInstanceRole` "IAM Instance Profile" gets defaulted back to None, and even if you're using an `ecs-optimized` AMI you still get the same "No container instances were found" message. That is the piece I was missing. – fred271828 Oct 30 '18 at 15:21
  • Why has it got to be so convoluted and in need of obscure steps, I wonder? It should be supposed to be easy! thank you Sir you saved my day – iomv Nov 14 '18 at 14:14
  • It's interesting that I randomly started a EC2 and create a cluster and it just worked... I didn't had to do anything. Now I tried again and doing randomly stopped working. I did by your instructions and it's still not finding a container. – Totty.js Jan 18 '19 at 14:05
  • @declension I'm using Fargate and I'm getting this error when launching as `EC2` type – Martynas Jusevičius Aug 08 '19 at 20:23
  • Lol, AWS ECS - making deploying containers easy...! – Snowcrash Oct 20 '20 at 10:52
  • This helped me to start a container. But, port mapping didn't happen. more details: https://stackoverflow.com/questions/64632279/port-mapping-didnt-happen-for-a-container-deployed-on-aws-ecsuses-ec2 – Naveen Reddy Marthala Nov 04 '20 at 12:41
  • Didn't work for me. The permission was already assigned (automatically?) and finding/choosing a supposed ecs-optimized AMI didn't change anything. – Dustin Oprea Mar 20 '21 at 02:19
  • Thats correct! but when try to create a taks says "RESOURCE:MEMORY (Error)", memory loss for t2.small, moral, can not be used under free tier –  Sep 11 '21 at 17:36
  • if anyone dont want to use ecs-optimised then you can add ecs agent to any regular AMI https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-install.html – Ubaid Qureshi Nov 15 '21 at 10:20
  • If anyone wonders why you need to use ECS-optimized AMI, the reason is that, according to AWS's docs, for Amazon ECS container instances, `Your container instance must be running the Amazon ECS container agent. The container agent is able to register the instance into one of your clusters. If you are using an Amazon ECS-optimized AMI, the agent is already installed. To use a different operating system, install the agent.` https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ECS_instances.html – Duke Caesar Feb 10 '23 at 09:54
59

I ran into this issue when using Fargate. I fixed it when I explicitly defined launchType="FARGATE" when calling run_task.

Milan Cermak
  • 7,476
  • 3
  • 44
  • 59
  • 10
    With the CLI I added `--launch-type FARGATE` – shlomiLan Jun 19 '19 at 12:49
  • 2
    Thanks Milan, that worked for me even with Python API. – Lars Sep 16 '20 at 10:56
  • 1
    Totally fixed it for me. The answer above didn't make sense, because I didn't need to do that from the wizard. – jon077 Sep 25 '20 at 12:52
  • 2
    Same same. For clarity, there are only 2 launch types: 'FARGATE' or 'EC2'. AWS docs don't show it well but the ECS default is EC2. EC2 requires provisioned instances to start the containers for a task in. So its a little obscure but if your using fargate but you don't specify the fargate launch type your running into the classic 'no container instance' issue seen [here](https://stackoverflow.com/a/55158931/7547940) – rayepps Feb 12 '21 at 04:53
  • 2
    This is the stuff i just love SO for. – Matt The Ninja Apr 21 '22 at 15:03
  • There is also 'EXTERNAL' launch type. Feel free to check the docs --> https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ecs.html#ECS.Client.run_task – flowfelis Jun 27 '22 at 09:11
  • oh man! thanks for this. I had been trying to figure this out for hours! – fingerprints Aug 31 '22 at 18:00
  • This solve my problem. Even if you define FARGATE in your task definition, you need to add `launchType="FARGATE"` in your `run_task()` method. – Ellery Leung Jul 10 '23 at 07:10
48

Currently, the Amazon AWS web interface can automatically create instances with the correct AMI and the correct name so it'll register to the correct cluster.

Even though all instances were created by Amazon with the correct settings, my instances wouldn't register. On the Amazon AWS forums I found a clue. It turns out that your clusters need internet access and if your private VPC does not have an internet gateway, the clusters won't be able to connect.

The fix

In the VPC dashboard you should create a new Internet Gateway and connect it to the VPC used by the cluster. Once attached you must update (or create) the route table for the VPC and add as last line

0.0.0.0/0 igw-24b16740

Where igw-24b16740 is the name of your freshly created internet gateway.

P_W999
  • 1,017
  • 12
  • 26
  • This is mentioned at http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html *[EC2-VPC] Check the route table for the subnet. You need a route that sends all traffic destined outside the VPC to the Internet gateway for the VPC.* – Justin M. Keyes Jun 22 '17 at 10:15
  • 3
    Thank you for the clue! I had assigned a security group to my instances which blocked all outbound traffic except for traffic to my load balancer. I switched this to allow all outbound traffic but restrict incoming traffic from the load balancer only, and the instances then appeared in my EC2 cluster. – Mikepote Nov 02 '17 at 22:10
  • 1
    I wish I could up vote your answer more than once. This fixed my exact problem "No Container Instances were found in your cluster." and the original answer voted more had nothing to do with your actual solution. Thank you again. – alexkb Aug 13 '18 at 08:05
  • As well as associating the gateway with your VPC, you may need to route internet traffic through it for the specific subnet that houses your ECS instances. - for eg `aws ec2 associate-route-table --subnet-id $SUBNET_ID --route-table-id $ROUTE_TABLE_ID` - can I suggest adding this to the answer? – Greg Oct 03 '18 at 02:51
  • 1
    I think it is worth mentioning that the moment you add a route for 0.0.0..0/0 pointing to a IGW the subnet is no longer a private subnet. From a network security perspective it is better to create a route pointing to a NAT-Gateway. – Henrik Pingel Feb 08 '19 at 12:05
  • This is great, also try to remember "auto-assign public IP", which you may forget even routes to igw is set. If you got it wrong, no worries, stop the ECS container instance in EC2, it will actually terminate itself and restart a new one then register. – dz902 Jan 25 '21 at 04:04
  • This wasn't the solution in my case and was already configured as such. – Dustin Oprea Mar 20 '21 at 02:13
13

Other suggested checks

  1. Selecting the suggested AMI which was specified for the given region solved my problem.

    To find out the AMI - check Launching an Amazon ECS Container Instance.

  2. By default all the ec2 instances are added to default cluster . So the name of the cluster also matters.

See point 10 at Launching an Amazon ECS Container Instance.

More information available in this thread.

Niklas Rosencrantz
  • 25,640
  • 75
  • 229
  • 424
sanath_p
  • 2,198
  • 2
  • 26
  • 22
5

When this happens, you need to look to the following:

  1. Your EC2 instances should have a role with AmazonEC2ContainerServiceforEC2Role managed policy attached to it
  2. Your EC2 Instances should be running AMI image which is ecs-optimized (you can check this in EC2 dashboard)
  3. Your VPC's private subnets don't have public IPs assigned, OR you do not have an interface VPC endpoint configured, OR you don't have NAT gateway set up

Most of the time, this issue appears because of the misconfigured VPC. According to the Documentation:

QUOTE: If you do not have an interface VPC endpoint configured and your container instances do not have public IP addresses, then they must use network address translation (NAT) to provide this access.

  • To create a VPC endpoint: Follow to the documentation here
  • To create a NAT gateway: Follow to the documentation here

These are the reasons why you don't see the EC2 instances listed in the ECS dashboard.

Ashot
  • 1,229
  • 1
  • 12
  • 13
4

Just in case someone else is blocked with this problem as I was... I've tried everything here and didn't work for me.

Besides what was said here regards the EC2 Instance Role, as commented here, in my case only worked if I still configured the EC2 Instance with simple information. Using the User Data an initial script like this:

#!/bin/bash
cat <<'EOF' >> /etc/ecs/ecs.config
ECS_CLUSTER=quarkus-ec2
EOF

Informing the related ECS Cluster Name created at this ecs config file, resolved my problem. Without this config, the ECS Agent Log at the EC2 Instance was showing an error that was not possible to connect to the ECS, doing this I've got the EC2 Instance visible to the ECS Cluster.

After doing this, I could get the EC2 Instance available for my EC2 Cluster: enter image description here

The AWS documentation said that this part is optional, but in my case, it didn't work without this "optional" configuration.

Ualter Jr.
  • 2,320
  • 1
  • 25
  • 28
2

The real issue is lack of permission. As long as you create and assign a IAM Role with AmazonEC2ContainerServiceforEC2Role permission, the problem goes away.

Ben
  • 61
  • 1
2

If you have come across this issue after creating the cluster

Go the ECS instance in the EC2 instances list and check the IAM role that you have assigned to the instance. You can identify the instances easily with the instance name starts with ECS Instance

enter image description here

After that click on the IAM role and it will direct you to the IAM console. Select the AmazonEC2ContainerServiceforEC2Role policy from the permission policy list and save the role.

Your instances will be available in the cluster shortly after you save it.

sandaru.ny
  • 105
  • 7
1

I realize this is an older thread, but I stumbled on it after seeing the error the OP mentioned while following this tutorial.

Changing to an ecs-optimized AMI image did not help. My VPC already had a route 0.0.0.0/0 pointing to the subnet. My instances were added to the correct cluster, and they had the proper permissions.

Thanks to @sanath_p's link to this thread, I found a solution and took these steps:

  1. Copied my Autoscaling Group's configuration
  2. Set IP address type under the Advanced settings to "Assign a public IP address to every instance"
  3. Updated my Autoscaling Group to use this new configuration.
  4. Refreshed my instances under the Instance refresh tab.
paulmiller3000
  • 436
  • 8
  • 24
0

Another possible cause that I ran into was updating my ECS cluster AMI to an "Amazon Linux 2" AMI instead of an "Amazon Linux AMI", which caused my EC2 user_data launch script to not work.

skeller88
  • 4,276
  • 1
  • 32
  • 34
0

for other than ecs-optimized instance image. Please do below step

ECS_CLUSTER=REPLACE_YOUR_CLUSTER_NAME

  • add above content to /etc/ecs/ecs.config
Jonathan
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Aug 15 '22 at 14:19
0

The VPC will need to communicate with the ECR.

To do this, the security group attached to the VPC will need an outbound rule of 0.0.0.0/0.

AWS Newbie
  • 1
0

Some of the other answers are ambiguous. One issue may be, if you have not created the ASG automatically, that the User Data has not been correctly set.

It should look as follows (replace ClusterName with your cluster):

#!/bin/bash 
echo ECS_CLUSTER=ClusterName >> /etc/ecs/ecs.config;

This can be entered by modifying the launch template (creating a new version), scrolling to "Advanced details", and entering this into the User Data text box at the bottom.

George
  • 640
  • 7
  • 13