ECS Task is not using the role attached to it?
I'm not entirely sure what's going on here. I have a container that's using ubuntu:focal as a base, and the application that's running in the container uses the aws-sdk-php v3.217 to access Secrets Manager. The application is able to access the AWS services when its running on an EC2 instance, but when it's running in ECS (with the exact same permissions on the role), I get this error:
2022/08/26 14:07:07 [error] 11#11: *3162 FastCGI sent in stderr: "PHP message: PHP Fatal error: Uncaught Aws\Exception\CredentialsException: Error retrieving credentials from the instance profile metadata service. (cURL error 7: (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)) in .../vendor/aws/aws-sdk-php/src/Credentials/InstanceProfileProvider.php:264
I guess my main question is, is there another service that needs to be running for the SDK to be able to use the role attached to the container, or is it something entirely different?
- Mais recentes
- Mais votos
- Mais comentários
The ECS documentation, IAM roles for tasks, notes that you can retrieve the IAM credentials by running curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI. This address is different from EC2's metadata URL (169.254.169.254). Therefore, your SDK client needs to point to another location to retrieve credentials. For AWS SDK for PHP, I can see a class called EcsCredentialsProvider. Please try to use the class to retrieve the cedentials.
The IAM credentials can retrieved from EC2 metadata URL (169.254.169.254). You need to reconfirm if your SDK code is fetching the required credentials from the correct URL as mentioned. Please do check out this link for assistance with SDK on credentials class. [+] https://docs.aws.amazon.com/aws-sdk-php/v3/api/class-Aws.Credentials.EcsCredentialProvider.html
