- Newest
- Most votes
- Most comments
Ensure that the AWS Identity and Access Management (IAM) role associated with your task has the necessary permissions to access any required AWS resources, such as Amazon S3 buckets or databases. In the AWS Management Console, go to the CloudFormation service and select your stack. Look for any events or error messages related to the service creation/update process. If there are any permission-related errors, they should be logged there. This doc explains the necessary permissions and policies that should be associated with the IAM role to ensure proper access to AWS resources. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
Other thoughts, Verify IAM Role for ECS Tasks. Confirm that the IAM role assigned to your ECS tasks has the appropriate permissions to access AWS resources. This includes any required permissions for interacting with services like Amazon S3, Amazon RDS, or any other resources that your tasks need to access.
Examine CloudTrail Logs, If you have AWS CloudTrail enabled, you can search for relevant events related to your stack, ECS service, and associated IAM roles. Look for any errors or denied actions that may indicate a permission issue.
You will not have any CloudWatch logs until your container at least moves further than it is.
What you need to do is on the service, look at stopped tasks. Here you will find the task IDs. Click on the latest task ID that fails to start.
Here you can locate the logs and see in the console the reason and log every why it didn’t start.
It’s likely it’s going to be related to IAM permissions or the defined container doesn’t exist.
Hi, there is nothing in the console that shows why the container can't start. It is just always pending.
Could you share what other IAM permissions I need? I think I have already given all the permissions I need in my previous answer.
Click on the service, goto events and find the task ID. Click on the task ID to see the issue/log. There will be a reason in the console, there always is. You just have to be in the correct place to see it.
If you can provide any screen shots hopefully we can point you in the right direction
Relevant content
- asked a year ago
- asked 2 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Hi, I have the current IAM and access control settings:
EC2 Instance Role policies AmazonSSMManagedInstanceCoreAmazonEC2ContainerServiceforEC2Role ECS Task Role (I only need access to EFS) elasticfilesystem:ClientRootAccess elasticfilesystem:ClientWrite elasticfilesystem:ClientMount
ECS Execution Role arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
EC2 Security Group I opened port 80 as one of my ingress rules. I can pull the Nginx image from DockerHub inside my EC2.
CloudFormation just says my stack is being created and there are no errors. No logs are generated in my CloudWatch Log Groups and there are no records in CloudTrail too.
This makes it difficult for me to diagnose the problem.
In fact, this is not the first issue I have with ECS-optimized AMI. SSM-agent was supposed to be installed but it was not. I had to install it manually.
Could you advise please?