Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable credentials endpoint for ecs task role? #511

Closed
jamesongithub opened this issue Aug 26, 2016 · 12 comments
Closed

Enable credentials endpoint for ecs task role? #511

jamesongithub opened this issue Aug 26, 2016 · 12 comments

Comments

@jamesongithub
Copy link

Seem to be having problems with getting credentials from ecs-agent within the container. The route doesn't seem to be available.

curl 169.254.170.2:80/v1/credentials?id=38efbb6f-7511-4ab5-9047-0fe02c619f49
{"AvailableCommands":["/v1/metadata","/v1/tasks","/license"]}
curl 169.254.170.2/v1/metadata 
{"Cluster":"sandbox-ecs","ContainerInstanceArn":"arn:aws:ecs:us-east-1:REDACATED:container-instance/0acd679c-fa32-41f9-be28-440dd07d32f7","Version":"Amazon ECS Agent - v1.12.1 (d5e8c51)"}

ecs-agent env

            "Env": [
                "ECS_DISABLE_PRIVILEGED=true",
                "ECS_ENGINE_TASK_CLEANUP_WAIT_DURATION=1m",
                "ECS_DISABLE_METRICS=false",
                "ECS_APPARMOR_CAPABLE=true",
                "ECS_DOCKER_GRAPHPATH=REDACTED",
                "ECS_CLUSTER=REDACTED",
                "ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST=true",
                "ECS_AVAILABLE_LOGGING_DRIVERS=REDACTED,
                "ECS_ENABLE_TASK_IAM_ROLE=true",
                "ECS_DATADIR=/data",
                "ECS_LOGFILE=/log/ecs-agent.log",
                "ECS_LOG_LEVEL=debug",
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
            ],

Is there anything else needed to enable ecs iam roles for ecs agent?

@jamesongithub
Copy link
Author

Btw, is there anyway to add custom fields to the credentials payload?

@samuelkarp
Copy link
Contributor

@jamesongithub Are you using the ECS-optimized AMI or did you manually install the ECS agent? It looks like the iptables rules might be set up somewhat wrong on your instance (looks like they're forwarding to 51678 instead of 51679).

@jamesongithub
Copy link
Author

jamesongithub commented Aug 26, 2016

This is on ubuntu so it was a manual install. Actually I thought the instructions was incorrect here so used 51678 like from the README. I actually have nothing listening on 51679, so it wasn't returning anything at all on 51679.

@samuelkarp
Copy link
Contributor

The agent should be listening on 51679 as well; that's the credential endpoint. I'll make a note to update the README; the most up-to-date instructions on launching the agent on Ubuntu are in our documentation.

@jamesongithub
Copy link
Author

Ah, that makes sense. Thanks for the quick response. Anyway to add custom fields to the creds response btw?

@samuelkarp
Copy link
Contributor

No, the credential endpoint only returns credentials. What kinds of custom things are you looking for it to return?

@jamesongithub
Copy link
Author

jamesongithub commented Aug 26, 2016

Other secrets that we would like to pass instead of having them show up as plaintext envs in the aws ecs console.

@samuelkarp
Copy link
Contributor

@jamesongithub That sounds pretty similar to #328. @aaithal's suggestion on that issue is a good approach.

I've also opened #512 to update the README. Thanks for catching the errors!

@jamesongithub
Copy link
Author

yup. thanks!

@hltbra
Copy link

hltbra commented Aug 10, 2017

@samuelkarp, @aaithal: I am having the same issue and I have logs. Should I open a ticket? I'd appreciate if you can help me debug this, but I don't want to leave my broken container error'ing out for much longer. My work email is hugo at yipitdata.com

I am running the latest agent (ECS-optimized AMI ami-04351e12).

Thanks

@aaithal
Copy link
Contributor

aaithal commented Aug 10, 2017

@hltbra I'm sorry that you're running into this issue. Please create a new github issue or a support case via the AWS Developer Support program. Thanks!

@hltbra
Copy link

hltbra commented Aug 10, 2017

@aaithal: cool. I created an AWS Support ticket with logs from my application and the ECS agent (case ID 4260162261).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants