I have a AWS::Event::Rule that routes a S3 put event to a ECS task. I can see the rule is being triggered from the metrics, but also see FailedInvocation on every trigger. I suspect that's a permission / policy issue, but not able to find any debug info or log. Is these debug info available somewhere?
I see a similar issue with Lambda as target, which needs an extra permission on the Lambda side to allow trigger from events, but was not able to find similar settings for ECS? AWS Cloudformation - Invocation of Lambda by Rule Event failed
Here is the related CloudFormation code, which shows the current role with the ECS target:
Resources:
ECSTrigger:
Type: AWS::Events::Rule
Properties:
...
Targets: # target of trigger: ECS
- Arn:
Fn::Sub: 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${ClusterName}'
Id: 'EcsTriggerTarget'
InputTransformer:
InputPathsMap:
s3_bucket: "$.detail.requestParameters.bucketName"
s3_key: "$.detail.requestParameters.key"
InputTemplate: '{"containerOverrides": [{"environment": [{"name": "S3_BUCKET", "value": <s3_bucket>}, {"name": "S3_KEY", "value": <s3_key>}]}]}'
EcsParameters:
LaunchType: FARGATE
PlatformVersion: LATEST
TaskCount: 1
TaskDefinitionArn:
Ref: Task
NetworkConfiguration:
AwsVpcConfiguration:
AssignPublicIp: DISABLED
SecurityGroups: ...
Subnets: ...
RoleArn:
Fn::GetAtt: EcsTriggerRole.Arn
EcsTriggerRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: 'sts:AssumeRole'
Principal:
Service: 'events.amazonaws.com'
ManagedPolicyArns:
- Fn::Sub: 'arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole'
It seems the issue is I missed a "name" inside "containerOverrides" in InputTemplate, it works when I put it this way:
InputTemplate:
Fn::Sub: >-
{ "containerOverrides": [ {
"name": "${ServiceContainerName}",
"environment": [
{ "name":"S3_BUCKET", "value":<s3_bucket> },
{ "name":"S3_KEY", "value":<s3_key> } ]
} ] }