Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IAM error when deploying LoadBalancedFargateService #1279

Closed
PaulMaddox opened this issue Dec 4, 2018 · 3 comments · Fixed by #1291
Closed

IAM error when deploying LoadBalancedFargateService #1279

PaulMaddox opened this issue Dec 4, 2018 · 3 comments · Fixed by #1291
Labels
@aws-cdk/aws-ecs Related to Amazon Elastic Container bug This issue is a bug.

Comments

@PaulMaddox
Copy link
Contributor

Given the following:

// Create a default VPC (with public/private subnets and 10.0.0.0/16 CIDR range)
const vpc = new ec2.VpcNetwork(this, 'VPC');

// Create an ECS cluster
const cluster = new ecs.Cluster(this, 'Cluster', { vpc });

// Add EC2 instances to the cluster (inc. auto-scaling and container draining)
const asg = cluster.addDefaultAutoScalingGroupCapacity({
    instanceCount: 2,
    maxCapacity: 10,
    instanceType: new ec2.InstanceType('m4.large'),
})

// Create an example nginx service
const nginx = new ecs.LoadBalancedFargateService(this, 'Nginx', {
    cluster,
    image: ecs.ContainerImage.fromDockerHub('nginx:latest'),
})

I get the following error on cdk deploy:

Fargate requires task definition to have execution role ARN to support log driver awslogs. (Service: AmazonECS; Status Code: 400; Error Code: ClientException; Request ID: 86141580-f78e-11e8-88ae-198b4970816c)

This feels like something that should be setup as part of the default experience.
@rix0rrr
Copy link
Contributor

rix0rrr commented Dec 4, 2018

Totally should. This must be a new check (re:Invent?) because we have integration tests for this.

Also, you're adding EC2 capacity to a cluster you're ending up running a Fargate service on. The capacity is not necessary there. Maybe we should have called it addEc2Capacity?

(cc @SoManyHs )

@rix0rrr rix0rrr added bug This issue is a bug. @aws-cdk/aws-ecs Related to Amazon Elastic Container labels Dec 4, 2018
@Doug-AWS
Copy link
Contributor

Doug-AWS commented Dec 4, 2018

+1

@Doug-AWS
Copy link
Contributor

Doug-AWS commented Dec 4, 2018

I hit this on 0.18.1 and 0.19.0

rix0rrr added a commit that referenced this issue Dec 5, 2018
@rix0rrr
fix(aws-ecs): set permissions for 'awslogs' log driver
456aa84 
Make sure that tasks using the 'awslogs' Log Driver have the correct IAM
permissions to actually write logs. Add grant() methods to IAM LogGroups
to make this nicer to write.

Fixes #1279.
@rix0rrr rix0rrr mentioned this issue Dec 5, 2018
Merged
9 tasks
rix0rrr added a commit that referenced this issue Dec 6, 2018
@rix0rrr
fix(aws-ecs): set permissions for 'awslogs' log driver (#1291)
f5bc59b 
Make sure that tasks using the 'awslogs' Log Driver have the correct IAM
permissions to actually write logs. Add grant() methods to IAM LogGroups
to make this nicer to write.

Fixes #1279.
@Doug-AWS Doug-AWS mentioned this issue Dec 6, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-ecs Related to Amazon Elastic Container bug This issue is a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(aws-ecs): set permissions for 'awslogs' log driver aws/aws-cdk
3 participants
@rix0rrr @PaulMaddox @Doug-AWS