How do I troubleshoot issues related to tagging in ECS tasks?

Last updated: 2022-04-01

I have an issue with Amazon Elastic Container Service (Amazon ECS) task tags. How do I troubleshoot this?

Resolution

When setting tags with Amazon ECS, you might have the following issues:

  • Your tags aren't propagated from service or task definition to tasks.
  • Your tags have an outdated Amazon Resource Name (ARN) and resource ID format.
  • You're unable to add tags to your ECS resources due to missing AWS Identity and Access Management (IAM) permissions or tag restrictions.
  • You're unable to see ECS tags in the AWS Billing Dashboard.

To troubleshoot these issues, do the following:

Verify that PropagateTags parameter is used to propagate from service or task definitions to tasks

The PropagateTags parameter can be used to copy tags from the task definition or service to the task. This can be done when you're running a task or creating a service. This parameter is not turned on by default.

You can check if the PropagateTags is being used in a specific service by running the following command in AWS CLI and replacing servicename, clustername, and region with the appropriate values:

aws ecs describe-services --services <servicename> --cluster <clustername> --region <region> --query 'services[*].propagateTags' --output text

To configure tags to propagate from the service or task definition using CLI, see RunTask and CreateService API.

To activate tag propagation using the console:

  1. Open the Amazon ECS console.
  2. Select the AWS Region for your ECS resource.
  3. In the navigation pane, select Task Definitions.
  4. Select the task definition from the resource list, and choose Actions. Then, choose Create Service or Run Task.
  5. In the Task tagging configuration, next to Propagate tags from, choose Service or Task definitions.
    Note: The default option is Do not propagate.

To use tags in ECS using AWS CloudFormation, you need to declare the entity AWS::ECS::Service using the properties EnableECSManagedTags and PropagateTags with the value: SERVICE or TASK_DEFINITION.

Note:

  • Using ECS service tags related properties after stack creation in CloudFormation will require a stack update and resource replacement. That means the service will be deleted and recreated through CloudFormation.
  • Using the PropagateTags parameter can only be done when you're running a task or creating a service. For more information, see RunTask and CreateService API.
  • You have access to the same configurations for Scheduled tasks as you do for tasks launched directly using the Amazon ECS RunTask API.

Verify that you are using the new ARN format

To be able to tag Amazon ECS resources, you must use the new Amazon Resource Name (ARNs) and IDs formats.

Example of the two formats:

  • Old format: arn:aws:ecs:region:aws_account_id:service/service-name
  • New format: arn:aws:ecs:region:aws_account_id:service/cluster-name/service-name

To migrate your ECS deployment to the new ARN and resource ID format, see Migrating your Amazon ECS deployment to the new ARN and resource ID format.

Note: Your existing resources will not receive the new ARN format while tagging until they are recreated.

Review that the IAM entity has the required permissions and check tags restrictions

If you are unable to add tags to your ECS service, do the following:

  1. Check CloudTrail events in CloudTrail console for TagResource events.
  2. If you see one of the following errors: AccessDenied or The tags cannot be updated at this time. Wait a few minutes and try again, then the IAM entity doesn't have the ecs:TagResource permissions.
  3. To solve this, add ecs:TagResource permissions to the IAM entities.
  4. Once the permissions have been added, retry adding the tags to ECS cluster.

Confirm that your ECS tags are within the tags restrictions. To review tags restrictions, see Tag restrictions.

Check if it is an AWS Billing and Cost Management issue

To verify that the required tags are present on ECS tasks level, run the following command in AWS CLI and replace value with the ARN:

aws ecs list-tags-for-resource --resource-arn <value>

To verify that the required tags are present on ECS tasks level using the console:

  1. Open the Amazon ECS console.
  2. Select the AWS Region for your ECS resource.
  3. In the navigation pane, select a resource type (for example, Clusters).
  4. Select the resource from the resource list and choose Tags.
    If tags exist, they will be listed.

If you are looking for managed tags, then ECS-managed must be turned on. Verify the ECS-managed status by running the following command and replacing servicename, clustername, and region with the appropriate values:

aws ecs describe-services --services <servicename> --cluster <clustername> --region <region> --query 'services[*].enableECSManagedTags' --output text

The command output will contain enableECSManagedTags value.

You can activate ECS-managed tags while creating service or running task using CLI, for more information, see RunTask and CreateService API.

To activate ECS-managed tags using the console:

  1. Open the Amazon ECS console.
  2. Select the AWS Region for your ECS resource.
  3. In the navigation pane, select Task Definitions.
  4. Select the task definition from the resource list, and choose Actions. Then, choose Create Service or Run Task.
  5. In the Task tagging configuration, choose Enable ECS managed tags.

If tags used for billing are listed but can't be seen in AWS Cost Explorer, be sure that tags are activated from the Billing and Cost Management console. To activate Cost allocation tags, see Activating user-defined cost allocation tags.
Note: Every tag that has to be viewed as a filter in the Cost Explorer needs to be activated. It can take up to 24 hours for tags to activate.


Did this article help?


Do you need billing or technical support?