Docker-compose to ECS,
0
I faced a problem with Secrets deploying docker-compose.yml to ECS. I don't understand why.
The policy by itself seems working, but it doesn't work here.
ERROR TEXT
HasuraService TaskFailedToStart: ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secret from asm: service call has been retried 1 time(s): failed to fetch secret *[HERE WAS ARN]/username* from secrets manager: AccessDeniedException: User: arn:aws:sts::925578195865:assumed-role/gochi-HasuraTaskExecutionRole-17C7ELVZK3HX2/50f19aa9ec5f44e6ae7b95ded3bb4a3f is not authorized to perform: secretsmanager:GetSecretValue on resource: *[HERE WAS ARN]/username* because no identity-based policy allows the secretsmanager:GetSecretValue action status code: 400, request id: ab2d966b-9e00-433a-89d3-804b52dfe39f
DOCKER-COMPOSE.YML
version: '3.9'
x-aws-vpc: [VPC-HERE]
x-aws-load-balancer: [LOAD-BALANCER-HERE]
services:
hasura:
image: hasura/graphql-engine:latest
ports:
- '8080:8080'
environment:
HASURA_GRAPHQL_DATABASE_URL: postgres://${RDS_USERNAME}:${RDS_PASSWORD}@*[RDS_URL_HERE]*:5432/gochi
HASURA_GRAPHQL_ENABLE_CONSOLE: true
HASURA_GRAPHQL_ADMIN_SECRET: ${HASURA_PASSWORD}
secrets:
- RDS_USERNAME
- RDS_PASSWORD
- HASURA_PASSWORD
x-aws-policies:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
- arn:aws:iam::925578195865:policy/GochiHasuraTaskExecution
secrets:
RDS_USERNAME:
name: *[HERE WAS ARN]/username*
external: true
RDS_PASSWORD:
name: *[HERE WAS ARN]/password*
external: true
HASURA_PASSWORD:
name: *[HERE WAS ARN]/password*
external: true
arn:aws:iam::925578195865:policy/GochiHasuraTaskExecution
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": [
*[HERE WAS ARN]/username*,
*[HERE WAS ARN]/password*,
*[HERE WAS ARN]/password*,
*[HERE WAS ARN]*,
*[HERE WAS ARN]*,
]
}
]
}
CLODUD FORMATION CONFIG
AWSTemplateFormatVersion: 2010-09-09
Resources:
CloudMap:
Properties:
Description: Service Map for Docker Compose project gochi
Name: gochi.local
Vpc: vpc-00ba3cc7fea7e3a72
Type: AWS::ServiceDiscovery::PrivateDnsNamespace
Cluster:
Properties:
ClusterName: gochi
Tags:
- Key: com.docker.compose.project
Value: gochi
Type: AWS::ECS::Cluster
Default8080Ingress:
Properties:
CidrIp: 0.0.0.0/0
Description: hasura:8080/tcp on default network
FromPort: 8080
GroupId:
Ref: DefaultNetwork
IpProtocol: TCP
ToPort: 8080
Type: AWS::EC2::SecurityGroupIngress
DefaultNetwork:
Properties:
GroupDescription: gochi Security Group for default network
Tags:
- Key: com.docker.compose.project
Value: gochi
- Key: com.docker.compose.network
Value: gochi_default
VpcId: vpc-00ba3cc7fea7e3a72
Type: AWS::EC2::SecurityGroup
DefaultNetworkIngress:
Properties:
Description: Allow communication within network default
GroupId:
Ref: DefaultNetwork
IpProtocol: "-1"
SourceSecurityGroupId:
Ref: DefaultNetwork
Type: AWS::EC2::SecurityGroupIngress
HasuraService:
DependsOn:
- HasuraTCP8080Listener
Properties:
Cluster:
Fn::GetAtt:
- Cluster
- Arn
DeploymentConfiguration:
MaximumPercent: 200
MinimumHealthyPercent: 100
DeploymentController:
Type: ECS
DesiredCount: 1
LaunchType: FARGATE
LoadBalancers:
- ContainerName: hasura
ContainerPort: 8080
TargetGroupArn:
Ref: HasuraTCP8080TargetGroup
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: ENABLED
SecurityGroups:
- Ref: DefaultNetwork
Subnets:
- subnet-0cde4d8ffd50e8f32
- subnet-0e11aed9fd537388d
- subnet-00e18e2b59a78ac21
PlatformVersion: 1.4.0
PropagateTags: SERVICE
SchedulingStrategy: REPLICA
ServiceRegistries:
- RegistryArn:
Fn::GetAtt:
- HasuraServiceDiscoveryEntry
- Arn
Tags:
- Key: com.docker.compose.project
Value: gochi
- Key: com.docker.compose.service
Value: hasura
TaskDefinition:
Ref: HasuraTaskDefinition
Type: AWS::ECS::Service
HasuraServiceDiscoveryEntry:
Properties:
Description: '"hasura" service discovery entry in Cloud Map'
DnsConfig:
DnsRecords:
- TTL: 60
Type: A
RoutingPolicy: MULTIVALUE
HealthCheckCustomConfig:
FailureThreshold: 1
Name: hasura
NamespaceId:
Ref: CloudMap
Type: AWS::ServiceDiscovery::Service
HasuraTCP8080Listener:
Properties:
DefaultActions:
- ForwardConfig:
TargetGroups:
- TargetGroupArn:
Ref: HasuraTCP8080TargetGroup
Type: forward
LoadBalancerArn:
Ref: LoadBalancer
Port: 8080
Protocol: TCP
Type: AWS::ElasticLoadBalancingV2::Listener
HasuraTCP8080TargetGroup:
Properties:
Port: 8080
Protocol: TCP
Tags:
- Key: com.docker.compose.project
Value: gochi
TargetType: ip
VpcId: vpc-00ba3cc7fea7e3a72
Type: AWS::ElasticLoadBalancingV2::TargetGroup
HasuraTaskDefinition:
Properties:
ContainerDefinitions:
- Command:
- '[{"Name":"RDS_USERNAME","Keys":null},{"Name":"RDS_PASSWORD","Keys":null},{"Name":"HASURA_PASSWORD","Keys":null}]'
Essential: false
Image: docker/ecs-secrets-sidecar:1.0
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group:
Ref: LogGroup
awslogs-region:
Ref: AWS::Region
awslogs-stream-prefix: gochi
MountPoints:
- ContainerPath: /run/secrets/
SourceVolume: secrets
Name: Hasura_Secrets_InitContainer
Secrets:
- Name: RDS_USERNAME
ValueFrom: [HERE WAS ARN]
- Name: RDS_PASSWORD
ValueFrom: [HERE WAS ARN]
- Name: HASURA_PASSWORD
ValueFrom: [HERE WAS ARN]
- Command:
- eu-central-1.compute.internal
- gochi.local
Essential: false
Image: docker/ecs-searchdomain-sidecar:1.0
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group:
Ref: LogGroup
awslogs-region:
Ref: AWS::Region
awslogs-stream-prefix: gochi
Name: Hasura_ResolvConf_InitContainer
- DependsOn:
- Condition: SUCCESS
ContainerName: Hasura_Secrets_InitContainer
- Condition: SUCCESS
ContainerName: Hasura_ResolvConf_InitContainer
Environment:
- Name: HASURA_GRAPHQL_ADMIN_SECRET
Value: three
- Name: HASURA_GRAPHQL_DATABASE_URL
Value: [SOME ENV VARS]
- Name: HASURA_GRAPHQL_ENABLE_CONSOLE
Value: "true"
Essential: true
Image: docker.io/hasura/graphql-engine:latest@sha256:5f10837a829cbc70f87fffb9168003026343ed1c6c8a0a69104642637a21076e
LinuxParameters: {}
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group:
Ref: LogGroup
awslogs-region:
Ref: AWS::Region
awslogs-stream-prefix: gochi
MountPoints:
- ContainerPath: /run/secrets/
ReadOnly: true
SourceVolume: secrets
Name: hasura
PortMappings:
- ContainerPort: 8080
HostPort: 8080
Protocol: tcp
Cpu: "256"
ExecutionRoleArn:
Ref: HasuraTaskExecutionRole
Family: gochi-hasura
Memory: "512"
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
TaskRoleArn:
Ref: HasuraTaskRole
Volumes:
- Name: secrets
Type: AWS::ECS::TaskDefinition
HasuraTaskExecutionRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Condition: {}
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Version: 2012-10-17
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
- arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
Policies:
- PolicyDocument:
Statement:
- Action:
- secretsmanager:GetSecretValue
- ssm:GetParameters
- kms:Decrypt
Condition: {}
Effect: Allow
Principal: {}
Resource:
- [ARN1]/username
- [ARN1]/password
- [ARN2]/password
PolicyName: hasuraGrantAccessToSecrets
Tags:
- Key: com.docker.compose.project
Value: gochi
- Key: com.docker.compose.service
Value: hasura
Type: AWS::IAM::Role
HasuraTaskRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Condition: {}
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Version: 2012-10-17
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
- arn:aws:iam::925578195865:policy/GochiHasuraTaskExecution
Tags:
- Key: com.docker.compose.project
Value: gochi
- Key: com.docker.compose.service
Value: hasura
Type: AWS::IAM::Role
LoadBalancer:
Properties:
LoadBalancerAttributes:
- Key: load_balancing.cross_zone.enabled
Value: "true"
Scheme: internet-facing
Subnets:
- subnet-0cde4d8ffd50e8f32
- subnet-0e11aed9fd537388d
- subnet-00e18e2b59a78ac21
Tags:
- Key: com.docker.compose.project
Value: gochi
Type: network
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
LogGroup:
Properties:
LogGroupName: /docker-compose/gochi
Type: AWS::Logs::LogGroup
Tags
Language
English
asked a year ago379 viewslg...
1 Answer
- Newest
- Most votes
- Most comments
Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.
0
In HasuraTaskDefinition
I think you need this.
ExecutionRoleArn: Fn::GetAtt: - HasuraTaskExecutionRole - Arn
Ref
for an AWS::IAM::Role
returns the resource name and not the ARN. [src]
answered a year agolg...
Relevant content
- Accepted Answerasked a month agolg...
- asked 6 months agolg...
- Accepted Answerasked a year agolg...
- asked 2 years agolg...
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 9 months ago