ECS Task is not using the role attached to it?

0

I'm not entirely sure what's going on here. I have a container that's using ubuntu:focal as a base, and the application that's running in the container uses the aws-sdk-php v3.217 to access Secrets Manager. The application is able to access the AWS services when its running on an EC2 instance, but when it's running in ECS (with the exact same permissions on the role), I get this error:

2022/08/26 14:07:07 [error] 11#11: *3162 FastCGI sent in stderr: "PHP message: PHP Fatal error: Uncaught Aws\Exception\CredentialsException: Error retrieving credentials from the instance profile metadata service. (cURL error 7: (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)) in .../vendor/aws/aws-sdk-php/src/Credentials/InstanceProfileProvider.php:264

I guess my main question is, is there another service that needs to be running for the SDK to be able to use the role attached to the container, or is it something entirely different?

2回答
1
承認された回答

The ECS documentation, IAM roles for tasks, notes that you can retrieve the IAM credentials by running curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI. This address is different from EC2's metadata URL (169.254.169.254). Therefore, your SDK client needs to point to another location to retrieve credentials. For AWS SDK for PHP, I can see a class called EcsCredentialsProvider. Please try to use the class to retrieve the cedentials.

AWS
回答済み 2年前
1

The IAM credentials can retrieved from EC2 metadata URL (169.254.169.254). You need to reconfirm if your SDK code is fetching the required credentials from the correct URL as mentioned. Please do check out this link for assistance with SDK on credentials class. [+] https://docs.aws.amazon.com/aws-sdk-php/v3/api/class-Aws.Credentials.EcsCredentialProvider.html

AWS
サポートエンジニア
回答済み 2年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ