资源处理程序返回消息：“提供的请求无效：CreateService 错误：访问被拒绝

我正在为 ECS 创建云形成堆栈，但出现此访问被拒绝错误，并且我的堆栈失败。

错误：资源处理程序返回消息：“提供的请求无效：CreateService 错误：访问被拒绝（服务：AmazonECS；状态代码：400；错误代码：AccessDeniedException；请求 ID：c894016a-395d-4468-92fa-b63a2a4642f9；代理： null）”（RequestToken：5d151803-6b53-02ea-8903-7c34934b251e，HandlerErrorCode：InvalidRequest）

我尝试过使用互联网上提供的多种解决方案，但这些都不适合我。我什至尝试创建一个单独的 ExecutionRole 但它给出了相同的错误。我尝试使用 root 用户及其工作在我的个人帐户中创建相同的堆栈。但是当我以 IAM 用户身份登录时，它会出现访问被拒绝的错误。

我正在使用嵌套堆栈。这是我的 root.yaml 文件，您可以在您的帐户中尝试。

root.yaml：https://cloudformation-exam-paranjay.s3.ap-south-1.amazonaws.com/exam2/root.yaml

ECS.yml

---
AWSTemplateFormatVersion: '2010-09-09'
Description: The template used to create an ECS Service from the ECS Console.
Parameters:
  ECSClusterName:
    Type: String
    Default: ecs-tutorial
  ECSServiceName:
    Type: String
    Default: ecs-tutorial-td
  LoadBalancerName:
    Type: String
    Default: ecs-tutorial-lb
  WAFName:
    Type: String
    Default: AllowAllTrafficAcl

Resources:
  ECSService:
    Type: AWS::ECS::Service
    Properties:
      Cluster: ecs-tutorial
      CapacityProviderStrategy:
      - CapacityProvider: FARGATE
        Base: 0
        Weight: 1
      TaskDefinition: !Ref TaskDefinition #arn:aws:ecs:us-east-1:818971154557:task-definition/ecs-tutorial-td:1
      ServiceName: ecs-tutorial-td
      # SchedulingStrategy: REPLICA
      DesiredCount: 2
      LoadBalancers:
      - ContainerName: tindog
        ContainerPort: 80
        LoadBalancerName:
          Ref: AWS::NoValue
        TargetGroupArn:
          Ref: TargetGroup
      NetworkConfiguration:
        AwsvpcConfiguration:
          # AssignPublicIp: ENABLED
          SecurityGroups: !Split [",", !ImportValue ECSSecurityGroup]
          Subnets:
            - !ImportValue PrivateSubnet1Id
            - !ImportValue PrivateSubnet2Id
      DeploymentController:
        Type: ECS
    DependsOn:
    - Listener

  TaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      Family: tindog-website-family
      # TaskRoleArn: !ImportValue ECSTaskRoleARN  # Import the IAM role ARN from another stack
      Cpu: 512 #0.5cpu
      Memory: 1024  #1gb
      NetworkMode: awsvpc
      # ExecutionRoleArn: !ImportValue ECSTaskRoleARN 
      ContainerDefinitions:
        - Name: tindog
          Image: paranjay1/tindog:latest
          PortMappings:
            - ContainerPort: 80

      RequiresCompatibilities:
        - EC2
        - FARGATE

  LoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Type: application
      Name: ecs-tutorial-lb
      SecurityGroups: !Split [",", !ImportValue ECSSecurityGroup]
      Subnets:
        - !ImportValue PublicSubnet1Id
        - !ImportValue PublicSubnet2Id

  TargetGroup:
    DependsOn: LoadBalancer
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      HealthCheckPath: "/"
      HealthCheckProtocol: HTTP
      Name: ecs-tutorial-target-group
      Port: 80
      Protocol: HTTP
      TargetType: ip
      VpcId: !ImportValue VPCID
      TargetGroupAttributes:
      - Key: deregistration_delay.timeout_seconds
        Value: '300'

  Listener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      DefaultActions:
      - Type: forward
        TargetGroupArn:
          Ref: TargetGroup
      LoadBalancerArn:
        Ref: LoadBalancer
      Port: 80
      Protocol: HTTP

  MyWAFWebACL:
    Type: AWS::WAFv2::WebACL
    DependsOn: LoadBalancer
    Properties:
      Name: !Ref WAFName 
      Scope: REGIONAL
      DefaultAction:
        Allow: {}  # An empty Allow block allows all traffic 
      VisibilityConfig:
        CloudWatchMetricsEnabled: true  # Enable CloudWatch metrics collection
        MetricName: MyWafMetric  # Define a metric name for WAF logs
        SampledRequestsEnabled: true  # Enable capturing a sample of requests for analysis

  MyWAFWebACLAsgn:
    DependsOn: MyWAFWebACL
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      WebACLArn: !GetAtt MyWAFWebACL.Arn
      ResourceArn: !Ref LoadBalancer
  
Outputs:
  ClusterName:
    Description: The cluster used to create the service.
    Value:
      Ref: ECSClusterName
  ECSService:
    Description: The created service.
    Value:
      Ref: ECSService
  LoadBalancer:
    Description: The created load balancer.
    Value:
      Ref: LoadBalancer
  Listener:
    Description: The created listener.
    Value:
      Ref: Listener
  TargetGroup:
    Description: The created target group.
    Value:
      Ref: TargetGroup
  LoadBalancerDNSName:
    Description: The DNS name of the load balancer.
    Value: !GetAtt LoadBalancer.DNSName
    Export:
      Name: LoadBalancerDNSName
  LoadBalancerARN:
    Description: "ALB ARN"
    Value: !GetAtt LoadBalancer.LoadBalancerArn
    Export:
      Name: "LoadBalancerARN"

我正在使用 IAM 用户，并且我对 IAM 用户附加了以下权限