ECS task unable to pull secrets or registry auth

By -

I have a CDK project that creates a CodePipeline which deploys an application on ECS. I had it all previously working, but the VPC was using a NAT gateway, which ended up being too expensive. So now I am trying to recreate the project without requiring a NAT gateway. I am almost there, but I have now run into issues when the ECS service is trying to start tasks. All tasks fail to start with the following error:

ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secret from asm: service call has been retried 5 time(s): failed to fetch secret

At this point I've kind of lost track of the different things I have tried, but I will post the relevant bits here as well as some of my attempts.

const repository = ECR.Repository.fromRepositoryAttributes(
  this,
  "ecr-repository",
  {
    repositoryArn: props.repository.arn,
    repositoryName: props.repository.name,
  }
);

// vpc
const vpc = new EC2.Vpc(this, this.resourceName(props, "vpc"), {
  maxAzs: 2,
  natGateways: 0,
  enableDnsSupport: true,
});
const vpcSecurityGroup = new SecurityGroup(this, "vpc-security-group", {
  vpc: vpc,
  allowAllOutbound: true,
});
// tried this to allow the task to access secrets manager
const vpcEndpoint = new EC2.InterfaceVpcEndpoint(this, "secrets-manager-task-vpc-endpoint", {
  vpc: vpc,
  service: EC2.InterfaceVpcEndpointAwsService.SSM,
});

const secrets = SecretsManager.Secret.fromSecretCompleteArn(
  this,
  "secrets",
  props.secrets.arn
);

const cluster = new ECS.Cluster(this, this.resourceName(props, "cluster"), {
  vpc: vpc,
  clusterName: `api-cluster`,
});

const ecsService = new EcsPatterns.ApplicationLoadBalancedFargateService(
  this,
  "ecs-service",
  {
    taskSubnets: {
      subnetType: SubnetType.PUBLIC,
    },
    securityGroups: [vpcSecurityGroup],
    serviceName: "api-service",
    cluster: cluster,
    cpu: 256,
    desiredCount: props.scaling.desiredCount,
    taskImageOptions: {
      image: ECS.ContainerImage.fromEcrRepository(
        repository,
        this.ecrTagNameParameter.stringValue
      ),
      secrets: getApplicationSecrets(secrets), // returns 
      logDriver: LogDriver.awsLogs({
        streamPrefix: "api",
        logGroup: new LogGroup(this, "ecs-task-log-group", {
          logGroupName: `${props.environment}-api`,
        }),
        logRetention: RetentionDays.TWO_MONTHS,
      }),
    },
    memoryLimitMiB: 512,
    publicLoadBalancer: true,
    domainZone: this.hostedZone,
    certificate: this.certificate,
    redirectHTTP: true,
  }
);

const scalableTarget = ecsService.service.autoScaleTaskCount({
  minCapacity: props.scaling.desiredCount,
  maxCapacity: props.scaling.maxCount,
});

scalableTarget.scaleOnCpuUtilization("cpu-scaling", {
  targetUtilizationPercent: props.scaling.cpuPercentage,
});
scalableTarget.scaleOnMemoryUtilization("memory-scaling", {
  targetUtilizationPercent: props.scaling.memoryPercentage,
});

secrets.grantRead(ecsService.taskDefinition.taskRole);
repository.grantPull(ecsService.taskDefinition.taskRole);

I read somewhere that it probably has something to do with Fargate version 1.4.0 vs 1.3.0, but I'm not sure what I need to change to allow the tasks to access what they need to run.



from Recent Questions - Stack Overflow https://ift.tt/eBjt7Jl
https://ift.tt/XonDdbU

Comments

Post a Comment

Popular posts from this blog

Today Walkin 14th-Sept

By -
Image
14th Sept 2017 ( GO Through all List) Read Walkin details properly , Try to call company before attending if possible !!! ==================================== 1. Myntra through fresherworld (Call Based , Venue shared to shortlisted candidates) _____________________________ 2. Magna : Hiring for Client Harman : C++
Read more

Spring Elasticsearch Operations

By -
Elasticsearch Operations Spring Data Elasticsearch uses two interfaces to define the operations that can be called against an Elasticsearch index. These are ElasticsearchOperations and ReactiveElasticsearchOperations. Whereas the first is used with the classic synchronous implementations, the second one uses reactive infrastructure. The default implementations of the interfaces offer: Read/Write mapping support for domain types. A rich query and criteria api. Resource management and Exception translation. ElasticsearchTemplate The ElasticsearchTemplate is an implementation of the ElasticsearchOperations interface using the Transport Client. @Configuration public class TransportClientConfig extends ElasticsearchConfigurationSupport {   @Bean   public Client elasticsearchClient() throws UnknownHostException {                      Settings settings = Settings.builder().put("cluster.name", "elasticsearch")....
Read more

Hibernate Search - Elasticsearch with JSON manipulation

By -
Elasticsearch with JSON manipulation Elasticsearch ships with many features. It is possible that at some point, one feature you need will not be exposed by the Search DSL. To work around such limitations, Hibernate Search provides ways to: Transform the HTTP request sent to Elasticsearch for search queries. Read the raw JSON of the HTTP response received from Elasticsearch for search queries. Direct changes to the HTTP request may conflict with Hibernate Search features and be supported differently by different versions of Elasticsearch. Similarly, the content of the HTTP response may change depending on the version of Elasticsearch, depending on which Hibernate Search features are used, and even depending on how Hibernate Search features are implemented. Thus, features relying on direct access to HTTP requests or responses cannot be guaranteed to continue to work when upgrading Hibernate Search, even for micro upgrades (x.y.z to x.y.(z+1)). Use this at your own risk....
Read more