ECS Task is not using the role attached to it?

0

I'm not entirely sure what's going on here. I have a container that's using ubuntu:focal as a base, and the application that's running in the container uses the aws-sdk-php v3.217 to access Secrets Manager. The application is able to access the AWS services when its running on an EC2 instance, but when it's running in ECS (with the exact same permissions on the role), I get this error:

2022/08/26 14:07:07 [error] 11#11: *3162 FastCGI sent in stderr: "PHP message: PHP Fatal error: Uncaught Aws\Exception\CredentialsException: Error retrieving credentials from the instance profile metadata service. (cURL error 7: (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)) in .../vendor/aws/aws-sdk-php/src/Credentials/InstanceProfileProvider.php:264

I guess my main question is, is there another service that needs to be running for the SDK to be able to use the role attached to the container, or is it something entirely different?

2 個答案
1
已接受的答案

The ECS documentation, IAM roles for tasks, notes that you can retrieve the IAM credentials by running curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI. This address is different from EC2's metadata URL (169.254.169.254). Therefore, your SDK client needs to point to another location to retrieve credentials. For AWS SDK for PHP, I can see a class called EcsCredentialsProvider. Please try to use the class to retrieve the cedentials.

AWS
已回答 2 年前
1

The IAM credentials can retrieved from EC2 metadata URL (169.254.169.254). You need to reconfirm if your SDK code is fetching the required credentials from the correct URL as mentioned. Please do check out this link for assistance with SDK on credentials class. [+] https://docs.aws.amazon.com/aws-sdk-php/v3/api/class-Aws.Credentials.EcsCredentialProvider.html

AWS
支援工程師
已回答 2 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南