How can I access other AWS services from my Amazon ECS tasks on Fargate?

Last updated: 2021-03-01

I want to access other AWS services from my Amazon Elastic Container Service (Amazon ECS) tasks on AWS Fargate.

Short description

Before you get started, you must identify the following:

  • The AWS services that your Fargate tasks are trying to access
  • The resources that your Fargate tasks have permissions to act on

The following example resolution is based on an application running on Fargate that includes:

  • A Fargate task that's trying to put data into an Amazon Simple Storage Service (Amazon S3) bucket
  • A list of objects (the resources) that will be put into the bucket

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Resolution

Create an S3 bucket and IAM role

1.    Create an S3 bucket where you can store your data. Example bucket name: fargate-app-bucket

Note: The bucket name must be unique as per S3 bucket naming requirements.

2.    Create an AWS Identity and Access Management (IAM) role with permissions to access your S3 bucket. Example role name: AWS-service-access-role

Note: In this example, the application is required only to put objects into an S3 bucket and list those objects. For more information on the trust relationship of the IAM role, see Creating an IAM Role and Policy for your Tasks.

Example IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::fargate-app-bucket/*"
        }
    ]
}

Create an Amazon ECS cluster and task definition

1.    Create an Amazon ECS cluster on Fargate using either the AWS Management Console or the AWS CLI in your AWS Region.

2.    Create a task definition using the Fargate launch type with a task role name inside the task role.

Important: In your task definition, set the task role parameter to the IAM role that you created earlier. This task role is used by the container to access AWS services.

Use the task role with the Fargate container

For more information on how the Amazon ECS container agent for Fargate works with role credentials, see IAM Roles for Tasks.

1.    To query the container credentials, run the following command from inside your container:

$ curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI

2.    In the container definition, add the image name that the container will use.

Note: For example, you can use the official docker image "amazon/aws-cli:latest" to help AWS CLI make AWS API calls.

3.    In the command section for the container (inside the container definition only), run the following command to put an object into your S3 bucket:

"command": [s3api, put-object, --bucket, fargate-app-bucket, --key, test-file.txt]

Important: You must include the test-file.txt file in the image when the image is built. This ensures that the file exists on the container when it runs on Fargate. The command in step 3 runs when the task runs or when the container starts.

Create and run a task

1.    Create a task using the task definition that you created earlier.

2.    Inside your Fargate cluster, run a standalone task using a Fargate launch type and the task definition that you created earlier.

Note: You can also run a task by using a service.

When the task begins its lifecycle, the task first goes into RUNNING state, and then performs its job. Later, the task is STOPPED, because the container is only responsible for running a single AWS CLI command.

You can view the stopped task in Amazon CloudWatch Logs. The log shows output similar to the following:

{
"ETag": "\"d41d8cd98f00b204e9800998ecf8427e\""
}

Note: If you look in the S3 bucket later, then you can see that the object test-file.txt is successfully generated.

Check to see what happens when you don't use the task role inside the task definition

1.    Create a new revision of the task definition that you created earlier, and set the value of the task tole to None.

2.    Run the task again with your new revision of the task definition.

Once the task completes its lifecycle, you can use CloudWatch Logs to see output similar to the following:

Unable to locate credentials. You can configure credentials by running "aws configure".

Note: To access other AWS services from your Fargate tasks, you must create an IAM role with permissions to access the services. Then, you must use this role within the task definition (in the task role parameter) to give the container access to the AWS services.

Important: The environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is available only to PID 1 processes within a container. If the container is running multiple processes or init processes (such as a wrapper script, start script, or supervisord), the environment variable is unavailable to non-PID 1 processes. Those processes could result in "Access denied" errors when they try to access AWS services. To set your environment variable so that it's available to non-PID 1 processes, export the environment variable in the .profile file. For example, run the following command to export the variable in the Dockerfile for your container image:

** RUN echo 'export $(strings /proc/1/environ | grep AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)' >> /root/.profile **

Did this article help?


Do you need billing or technical support?