ECS Task is not using the role attached to it?

0

I'm not entirely sure what's going on here. I have a container that's using ubuntu:focal as a base, and the application that's running in the container uses the aws-sdk-php v3.217 to access Secrets Manager. The application is able to access the AWS services when its running on an EC2 instance, but when it's running in ECS (with the exact same permissions on the role), I get this error:

2022/08/26 14:07:07 [error] 11#11: *3162 FastCGI sent in stderr: "PHP message: PHP Fatal error: Uncaught Aws\Exception\CredentialsException: Error retrieving credentials from the instance profile metadata service. (cURL error 7: (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)) in .../vendor/aws/aws-sdk-php/src/Credentials/InstanceProfileProvider.php:264

I guess my main question is, is there another service that needs to be running for the SDK to be able to use the role attached to the container, or is it something entirely different?

2개 답변
1
수락된 답변

The ECS documentation, IAM roles for tasks, notes that you can retrieve the IAM credentials by running curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI. This address is different from EC2's metadata URL (169.254.169.254). Therefore, your SDK client needs to point to another location to retrieve credentials. For AWS SDK for PHP, I can see a class called EcsCredentialsProvider. Please try to use the class to retrieve the cedentials.

AWS
답변함 2년 전
1

The IAM credentials can retrieved from EC2 metadata URL (169.254.169.254). You need to reconfirm if your SDK code is fetching the required credentials from the correct URL as mentioned. Please do check out this link for assistance with SDK on credentials class. [+] https://docs.aws.amazon.com/aws-sdk-php/v3/api/class-Aws.Credentials.EcsCredentialProvider.html

AWS
지원 엔지니어
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠