0

From a container job running in Batch, I'm trying to extract the instance id of the EC2 instance that is running that AWS batch job:

I'm proceeding as follows:

  • In the job script, I grab the environment variable AWS_BATCH_JOB_ID and call boto3.client('batch').describe_jobs(jobs=[job_id])
  • I extract containerInstanceArn from the previous response. This has the form: "arn:aws:ecs:us-west-2:55555555:container-instance/3364c30a-aaaa-bbbb-cccc-03e68c347f00"

  • I call boto3.client('ecs').describe_container_instances(...) with the Arn obtained. the EC2 instance ID should be contained in that response:

     # this is run from the batch job environment -- inside the container instance
 instances = ecs.describe_container_instances(
    cluster=config['cluster_arn'],
    containerInstances=[this_container_instance_arn],
    include=['TAGS'])

However, the call to DescribeContainerInstances gives me an Error:

botocore.errorfactory.InvalidParameterException:
  An error occurred (InvalidParameterException) when calling the 
  DescribeContainerInstances  operation:  Identifier is for 12345678. 
  Your accountId is 55555555

I've redacted the numbers, but the 55555555 matches the prefix in the containerInstanceArn. The 12345678 matches the id in all my iam roles, e.g. arn:aws:iam::12345678:role/my-ecs-job-role.

The job was launched from the CLI (from my main user account). I'm guessing a different role is assumed when the job is running, because the instance is started automatically by some AWS service account?

What do i need to change in IAM to allow my job script to query the ECS instance with boto?

Here is the job role I have configured in my batch job definition:

{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "",
                "Effect": "Allow",
                "Principal": {
                    "Service": "ecs-tasks.amazonaws.com"
                },
                "Action": "sts:AssumeRole"
            },
            {
                "Sid": "",
                "Effect": "Allow",
                "Principal": {
                    "Service": "ecs.amazonaws.com"
                },
                "Action": "sts:AssumeRole"
            }
        ]
}

I also have the following policy document attached to the job role. without it, the call to describe_container_instances is denied:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeContainerInstances"
            ],
            "Resource": "*"
        }
    ]
}

Is there another role I need to edit. I notice there's also an ECS-instance-role, which is different from the job role.

init_js
  • 4,143
  • 2
  • 23
  • 53

1 Answers1

0

This doesn't really fix the permission issue, but if it's just the instance id that's needed, you can avoid the boto calls altogether.

You can peek at the instance id through the instance's metadata:

GET http://169.254.169.254/latest/meta-data/instance-id
init_js
  • 4,143
  • 2
  • 23
  • 53