Search code examples
amazon-web-servicesamazon-ecsaws-fargate

ECS Fargate Task Container missing AWS_CONTAINER_CREDENTIALS_RELATIVE_URI

My task definition is linked to an IAM role, which works flawlessly under official AWS testing environment. However, in production, I keep getting this error:

CredentialsError: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1

I launch my Fargate setup using some predefined official AWS templates, and my Task definition looks like this (yml format):

  TaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      Family: !Ref 'ServiceName'
      Cpu: !Ref 'ContainerCpu'
      Memory: !Ref 'ContainerMemory'
      NetworkMode: awsvpc
      RequiresCompatibilities:
        - FARGATE
      ExecutionRoleArn: 'arn:aws:iam::835985753999:role/ecsTaskExecutionRole'
      ContainerDefinitions:
        - Name: !Ref 'ServiceName'
          Cpu: !Ref 'ContainerCpu'
          Memory: !Ref 'ContainerMemory'
          Image: !Ref 'ImageUrl'
          PortMappings:
            - ContainerPort: !Ref 'ContainerPort'
          LogConfiguration:
            LogDriver: 'awslogs'
            Options:
              awslogs-group: 'sharingmonsterlog'
              awslogs-region: 'eu-west-3'
              awslogs-stream-prefix: 'test'

I added some nodejs debug lines, where I console print environmental variables in production which look like this:

{ PATH: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
  HOSTNAME: 'ip-10-0-0-209.eu-west-3.compute.internal',
  AWS_DEFAULT_REGION: 'eu-west-3',
  AWS_EXECUTION_ENV: 'AWS_ECS_FARGATE',
  AWS_REGION: 'eu-west-3',
  ECS_CONTAINER_METADATA_URI: 'http://169.254.170.2/v3/8e0739ad-dd47-4672-8eed-d63debdb2fea',
  VERSION: 'v9.11.1',
  NPM_VERSION: '5',
  YARN_VERSION: 'latest',
  CONFIG_FLAGS: '--fully-static --without-npm',
  DEL_PKGS: 'libstdc++',
  RM_DIRS: '/usr/include',
  HOME: '/root' }

ECS Agent is supposed to populate AWS_CONTAINER_CREDENTIALS_RELATIVE_URI, but as you can see, it is missing.

Any ideas please? I am literally desperate, been trying to solve this issue for weeks.

Thanks.

Solution

  • I think you're missing the "TaskRoleArn : String" property of AWS::ECS::TaskDefinition. You do have task execution role which is used to pull images and push logs, while Task Role makes API calls to other aws services and populates the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI.

    This is vaguely stated in the documentation:

    This option is required if you want to use IAM task roles in an Amazon ECS service.