ECS: firelens container can not push logs to S3

Question

I'm currently using ECS tasks (EC2 hosted) for a web application which use firelens Fluent Bit as log router. I set the output destination to S3 using this plug-in, but it gets an access error like this: [error] [output:s3:s3.3] PutObject API responded with error='AccessDenied', message='Access Denied.

My configuration file of Fluent Bit is like this:

[OUTPUT]
    Name          s3
    Match         app
    region        ap-northeast-1
    bucket        BUCKET_NAME
    s3_key_format /logs/app/%Y/%m/%d/%H/logs_ecs_$uuid_flush.txt
    store_dir     /tmp/fluent-bit/s3
    upload_chunk_size 10m
    upload_timeout 10s

What I tried are :

Attach AmazonS3FullAccess policy to the task role.

Add bucket policy which allows access from the task role like this:

{
   "Effect": "Allow",
   "Principal": {
       "AWS": "TASK_ROLE_ARN"
   },
   "Action": "s3:*",
   "Resource": [
      "arn:aws:s3:::BUCKET_NAME",
      "arn:aws:s3:::BUCKET_NAME/*"
  ]
}

None of these solves the issue. Is there any configuration I'm missing?

Thanks for any help.

you can answer your question rather than updating the question with solution — Anand Vidvat, Apr 12 '21 at 06:40

score 1 · Answer 1 · answered Apr 14 '21 at 00:45

1

I found the solution by myself. My Fluent Bit container is using its host instance's role, so just add permission to the role solved the issue.

answered Apr 14 '21 at 00:45

takbian

11
2

ECS: firelens container can not push logs to S3

1 Answers1