0

I'm migrating a .NET Framework web app to AWS, and switching to containers. It's old tech, but we're taking baby steps towards modernizing the platform. For step is introducing better InfraCode, CI/CD automation, and resilience/HA, so moving to Terraform driven IaC and containerization with load balancing makes a lot of sense.

First thing to tackle is that session state started failing the moment we put our web portal (.NET ASP) behind an ALB load balancer. I figure using the default 'in memory' state and turning on session stickiness is a suboptimal path to go down (and it wasn't working with a brief attempt anyway) so we've jumped into trying to use DynamoDB for managing state.

We're following this guide:

https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/dynamodb-session-net-sdk.html

The ECS Task role has the rights defined for accessing the DynamoDB table, which has been pre-created with the expected default table name.

The site failed to load complaining about the configuration in web.config when it loads up.

" Unable to get IAM security credentials from EC2 Instance Metadata Service. "

I looked into how the AWS SDK for .NET tries to authenticate, how it cycles through options starting off with looking for a local AWS Profile and Keys (including env vars for key and secret access key, and it looks like it should look for an ECS Task role, and then a EC2 Role (instance profile). Steps 7/8 in the page below:

https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/creds-assign.html

We're not going to go down the path of using keys in production, so the AWSProfile and ProfilePath config are not added to the provider config. Our web.config section looks like this:

<sessionState timeout="10" mode="Custom" customProvider="DynamoDBSessionStoreProvider" xdt:Transform="Replace"> 
<providers>
    <add name="DynamoDBSessionStoreProvider"
         type="Amazon.SessionProvider.DynamoDBSessionStateStore"
         Region="ap-southeast-2" />   
</providers> 
</sessionState>

My error talks about the EC2 metadata service instead of ECS (do they use the same metadata service??) - could this just be that the ECS task can't reach the meta data service to find the role to use?

Does anyone have experience of using this provider in Windows containers with an ECS role? Has anyone seen this error? If anyone out there has any insights I'd be really grateful to hear them!

Thank you!

Gavin Connell-Otten
  • 1
  • 2
  • ECSEC2CredentialsWrapper() method is used to pull credentials from metadata service. It checks few environment variables on container itself to get metadata service URL. Hope this would help you in troubleshooting the issue. https://github.com/aws/aws-sdk-net/blob/master/sdk/src/Core/Amazon.Runtime/Credentials/FallbackCredentialsFactory.cs – Ankush Jain Jul 06 '22 at 16:31
  • Thanks, I'll read this and look deeper! – Gavin Connell-Otten Jul 06 '22 at 21:03

0 Answers0