14

First, I use the server environment:

  • sever: django + nginx + uwsgi
  • cloud: docker + AWS ECS
  • logging: AWS CloudWatch log service + watchtower third party app

I am using the watchtower third party app for the AWS CloudWatch log service. So, I need to give AWS credential information to the docker container.

When testing locally, docker run -v $ HOME / .aws: /root/.aws --rm -it -p 8080: 80 image_name will connect the local credentials to the volume.

But I don't know how to apply it in AWS ECS.

http://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-agent-config.html

I am following the above article, and I have written the .aws/ecs.confg file by following above article.

AWS_DEFAULT_REGION=ap-northeast-1
AWS_ACCESS_KEY_ID=bbbbbbbbb
AWS_SECRET_ACCESS_KEY=aaaaaaaaaaaa

I added command to the Dockerfile likes bello.

COPY        .aws/ecs.config             /etc/ecs/ecs.config

However, internal server error occurs when accessing ECS.

I have also tried to assign an "IAM role" to the container when "Task define" Even if you create "CloudWatchLogsFullAccess IAM role", nothing appears on the "Task define" creation screen role drop down.

If you have any other way, please help me.

Thank you.

Here is my logging setting. In local tests, logging works normally.

LOGGING = {
    'version': 1,
    'disable_existing_loggers': False,
    'formatters': {
        'verbose': {
            'format': '%(levelname)s %(asctime)s %(module)s %(process)d %(thread)d %(message)s'
        },
        'simple': {
            'format': '%(levelname)s %(message)s'
        },
    },
    'handlers': {
        'watchtower': {
            'level': 'DEBUG',
            'class': 'watchtower.CloudWatchLogHandler',
            'formatter': 'verbose',
        },
        'console': {
            'level': 'INFO',
            'class': 'logging.StreamHandler',
        },
    },
    'loggers': {
        'django': {
            'handlers': ['watchtower', 'console'],
            'level': 'INFO',
            'propagate': True,
        },
        'django.user': {
            'handlers': ['watchtower'],
            'level': DJANGO_LOG_LEVEL,
            'propagate': False,
        },
        'django.partner': {
            'handlers': ['watchtower'],
            'level': DJANGO_LOG_LEVEL,
            'propagate': False,
        },
    }
}
byunghyun park
  • 499
  • 1
  • 8
  • 25

2 Answers2

4

With IAM roles for Amazon ECS tasks, you can specify an IAM role that can be used by the containers in a task to access AWS resources.

Ashan
  • 18,898
  • 4
  • 47
  • 67
  • 5
    Thank you for Answer! but I have one more question. http://www.tothenew.com/blog/attach-iam-role-to-an-aws-elastic-container-service-task/ I created the IAM as above link and applied it to the task definitions. However, `curl 169.254.170.2 $ AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` returns 404 page not found. Do you know why? – byunghyun park Jun 02 '17 at 08:55
  • You have an space after $ – Robert Jun 02 '17 at 10:36
  • 1
    I still receive an error about the region `Unable to configure handler 'access': You must specify a region.` the `curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` returns data, what am I missing? .. this works from inside the container. should be allowed at the ec2 instnace? – EsseTi May 24 '18 at 15:13
  • 1
    even by adding the `aws/config`where the region is speceified, django has problems running. running `django shell` and using the log works. it seems like that the django is not reading the folder /root/.aws/config – EsseTi May 24 '18 at 15:33
  • 1
    I am using CloudFormation and I had to specify `TaskRoleArn` in the `TaskDefinition.Properties` before the `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` to injected into my container. – redgeoff Nov 29 '22 at 22:52
0

With Cloud Formation, you need to add a TaskRoleArn to the TaskDefinition.Properties. Then you need to add appropriate policies to the role to have permissions that are used in your task code.

Code-Apprentice
  • 81,660
  • 23
  • 145
  • 268