Questions tagged with Amazon Elastic Container Service

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Failed connect two tasks in ECS Fargate

context: I have 2 microservices service A and service B service A is a general nestjs microservice while service B is using nestjs + gRPC service A calls service B API local test: local: service A and B are brought up using separate docker-compose.yml and I set them explicitly to use the same network. Everything works as expected. PROBLEM: I deployed both services to AWS ECS Fargate. Each of them has an individual task definition. I setup service discovery for service B (A type) and the Service discovery endpoint is serviceb.local. Currently connection between service A and service B are not working. I keep receiving ERROR 14 connection not established error. QUESTION: How do i make containers in two different tasks talk to one another. Code: register Service B's client in Service A ``` @Global() @Module({ imports: [ ClientsModule.register([ { name: SERVICE_B_NAME, transport: Transport.GRPC, options: { url: 'serviceb.local', package: SERVICE_B_PACKAGE_NAME, protoPath: 'node_modules/services-proto/proto/serviceb.proto', }, }, ]), ], ``` bootstrap Service B ``` const app: INestMicroservice = await NestFactory.createMicroservice(AppModule, { transport: Transport.GRPC, options: { url: '0.0.0.0:50051', package: protobufPackage, protoPath: join('node_modules/services-proto/proto/serviceb.proto'), }, }); ``` What I have tries: I called service B's public IP from local postman and everything works; I used Cloud9 IDE and verified that Service discovery endpoint serviceb.local is successfully resolved to the public IP; Locally testing in docker works as expected;
1
answers
0
votes
53
views
asked a month ago

Failed to pull and unpack image with status code [manifests v1.1]: 401 Unauthorized

Hi, I created an ec2 instance and installed microk8s. Now, I am trying to pull the image from ecr. I have attached IAM role to the ec2 instance with AmazonEC2ContainerRegistryReadOnly policy attached. I have also downloaded and configure iam-authenticator but still I am getting the following events ``` Normal Scheduled 32s default-scheduler Successfully assigned k8ssandra-operator/soap-deployment-5785fdcbb6-psvml to ip-192-168-81-119 Normal Pulling 18s (x2 over 32s) kubelet Pulling image "782534010321.dkr.ecr.eu-west-2.amazonaws.com/soap:v1.1" Warning Failed 18s (x2 over 31s) kubelet Failed to pull image "782534010321.dkr.ecr.eu-west-2.amazonaws.com/soap:v1.1": rpc error: code = Unknown desc = failed to pull and unpack image "782534010321.dkr.ecr.eu-west-2.amazonaws.com/soap:v1.1": failed to resolve reference "782534010321.dkr.ecr.eu-west-2.amazonaws.com/soap:v1.1": pulling from host 782534010321.dkr.ecr.eu-west-2.amazonaws.com failed with status code [manifests v1.1]: 401 Unauthorized Warning Failed 18s (x2 over 31s) kubelet Error: ErrImagePull Warning MissingClusterDNS 5s (x6 over 32s) kubelet pod: "soap-deployment-5785fdcbb6-psvml_k8ssandra-operator(5f1750ed-8316-48c0-869f-9fa4b0870d22)". kubelet does not have ClusterDNS IP configured and cannot create Pod using "ClusterFirst" policy. Falling back to "Default" policy. Normal BackOff 5s (x3 over 31s) kubelet Back-off pulling image "782534010321.dkr.ecr.eu-west-2.amazonaws.com/soap:v1.1" Warning Failed 5s (x3 over 31s) kubelet Error: ImagePullBackOff ``` my .kube/config is as following ``` apiVersion: v1 clusters: - cluster: server: https://192.168.81.119:16443 certificate-authority-data: my-ca name: kubernetes contexts: - context: cluster: kubernetes user: aws name: aws current-context: aws kind: Config preferences: {} users: - name: aws user: exec: apiVersion: client.authentication.k8s.io/v1beta1 command: /home/ubuntu/aws-iam-authenticator args: - "token" - "-i" - "aws-cluster-123456" - "-r" - "<role-arn>" ```
1
answers
0
votes
26
views
asked a month ago

Why is my EFS File system policy blocking Fargate from mounting the EFS even though it includes the Task Execution Role arn?

I'm currently using an EFS mounted on a Fargate task. The task uses roles CustomECSTaskExecutionAgent for task execution and CustomECSTaskAgent for the task. With no file system policy in place, Fargate mounts fine and my task is able to read/write to the EFS. However, my company requires a File System Policy for each EFS so I added the following ``` { "Version": "2012-10-17", "Id": "efs-statement-8e30733a-a93f-414f-b5b6-284bd5a02c0a", "Statement": [ { "Sid": "efs-statement-7c9d03e6-379b-422e-afe6-4d92e7ff4303", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<accountid>:role/CustomECSTaskAgent", "arn:aws:iam::<accountid>:role/CustomECSTaskExecutionAgent", "arn:aws:iam::<accountid>:role/CustomEC2Agent" ] }, "Action": "elasticfilesystem:*", "Resource": "arn:aws:elasticfilesystem:us-east-1:<accountid>:file-system/fs-id" } ] } ``` With this policy Fargate is not able to mount the drive, I get the following error: `ResourceInitializationError: failed to invoke EFS utils commands to set up EFS volumes: stderr: b'mount.nfs4: access denied by server while mounting fs-id.efs.us-east-1.amazonaws.com:/' : unsuccessful EFS utils command execution; code: 32` If I add the following statement to the policy then Fargate is able to mount the drive but the task fails immediately because it is not able to read/write. I cannot keep the below statement because it is too permissive and I'd like to know what Principal I need for 1. Fargate to mount successfully 2. For my task to read/write ``` { "Sid": "efs-statement-7c9d03e6-379b-422e-afe6-4d92e7ff4303", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "elasticfilesystem:ClientMount", "Resource": "arn:aws:elasticfilesystem:us-east-1:<accountid>:file-system/fs-id" } ```
1
answers
0
votes
43
views
Olly
asked a month ago