By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ECS Service Connect LogConfiguration SecretOptions Usage

0

I'm looking to migrate services from AppMesh to Service Connect, and ran into an issue with the log configuration in my template which looks something like this:

"ServiceConnectConfiguration": {
     "Enabled": true,
        ...
	"LogConfiguration": {
	 "LogDriver": "awsfirelens",
	 "SecretOptions": [
	  {
	   "Name": "apiKey",
	   "ValueFrom": { "Fn::Join": [ "", [ "arn:aws:ssm:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":parameter/my/key" ] ] }
	  }
	 ]
	},

This results in the following error:

Resource handler returned message: "Invalid request provided: CreateService error: TaskDefinition#logConfiguration The Systems Manager parameter ARN has a different account ID than the current account. The current account ID is null and the ARN account ID is #####. Cross-account access for ARNs is not currently supported. (Service: AmazonECS; Status Code: 400; Error Code: InvalidParameterException; Request ID: #####; Proxy: null)" (RequestToken: #####, HandlerErrorCode: InvalidRequest)

This logConfiguration is the same as what had been on the envoy container. Is this null account id something that could be changed in how Service Connect scaffolds this out?

**Edit: ** Hardcoding the value:

"ServiceConnectConfiguration": {
 "Enabled": true,
 "LogConfiguration": {
  "LogDriver": "awsfirelens",
  "SecretOptions": [
   {
    "Name": "apiKey",
    "ValueFrom": "arn:aws:ssm:us-east-1:####:parameter/my/key"
   }
  ]
 }

Results in the same error. The parameter in question is a SecureString

Topics
Networking & Content DeliveryContainers
Tags
AWS App MeshAmazon Elastic Container Service
Language
English
John_Y
asked a year ago462 views
2 Answers
0

From the issue description I understand you are looking to migrate your service from AppMesh to ServiceConnect and in the template snippet the parameter ARN is specified with environment variable for region and account ID.

The shared error indicates that the SSM parameter ARN is different from current account which indicates its null. Furthermore, the account ID's needs to be the same as SSM parameter ARN as cross account support is not currently supported.

Based on this data, it seems the template is not pulling the account ID as it set as null, can you confirm how the account ID variable is setup in the cdk template? Based on the environment variable this seems to be pulling a ENV from CDK, can you confirm if the ENV is setup with the correct values?

With regards to envoy containers the instance metadata can be used to extract the account ID which does not require it to be set as an ENV. Thus this should work on container without any issue. The service connect is not the error prone component but rather the account ID not being setup in the CDK ENV. Please refer to https://docs.aws.amazon.com/app-mesh/latest/userguide/proxy-authorization.html for more info about instance metadata.

I would also like to take the opportunity to advise I am an engineer from ECS and do not work on CDK. I did however setup a lab with CDK using literal values for the region and account ID and I was able to deploy successfully, when trying to use ENV my code failed to synthesize. I would recommend reaching to CDK team to understand how to pass the account variable correctly to avoid the null results.

AWS
Bohlale_M
answered a year ago
  • John_Y
    a year ago

    Sorry, I should have made the example more concise: I've updated the question to include the actual cloudformation stack values opposed to cdk code. Like I mentioned the block of code is identical between the original envoy setup and the new service connect setup, so there shouldn't be any issues with the account id.

    It seems like there's an issue with service connect being able to read secure strings (or maybe any SSM parameters). From it's perspective it's running in some sort of context that does not have an account id.

  • John_Y
    a year ago

    @Bohlale_M - any thoughts on the updated details in the question? In your lab example, were you using a securestring parameter in that secretoptions section?

0

For now I've updated the parameter store value to String from SecureString, and added the value as an inline resolve

John_Y
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content