Open gshpychka opened 3 years ago
Hey @gshpychka :wave:
Could you provide an example of how you're initializing the ECS task and role? Could you also provide the failure message you're seeing?
Also double check your CDK bootstrap is setup correctly according to the docs.
If you're using the legacy bootstrap then it may be a problem with the user profile you're using to deploy the CDK code. For example your user may need to be granted access to s3:ListBucket
in order to find the bucket.
A basic example:
task_definition = ecs.Ec2TaskDefinition(
self,
id="ec2_task"
)
env_file = ecs.AssetEnvironmentFile.from_asset(
path=config_path
)
container_image = ecs.ContainerImage.from_asset(directory=container_path)
container_definition = ecs.ContainerDefinition(
self,
"container",
task_definition=task_definition,
environment_files=[env_file],
image=container_image,
)
ecs_service = ecs.Ec2Service(
self,
"service",
task_definition=task_definition,
cluster=cluster
)
Is my expectation correct that the CDK should grant the task execution role access to the environment file (that's in the asset bucket)?
Happening with me as well. I cannot grant access to S3 bucket created by CDK to host EnvironmentFile
. Documentation suggests to use asset.grantRead(principal)
to grant read access but there is not much method defined for the class.
Another issue is that when I create AssetEnvironmentFile
with readers
argument having list of ECS execution role as grantable it gives undefined
as grantable because I cannot get task execution role object until I haven't added any container definition on the task
This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.
For work around one get bucket name and manually issue grant_read
Assuming self.task_def
holds task definition instance of the ECS task, this code snippet can grant task execution role access to environment file bucket.
self.env_file_bucket = s3.Bucket.from_bucket_name(
self,
"env_file-bucket",
self.task_def.default_container.environment_files[0].s3_location.bucket_name,
)
self.env_file_bucket.grant_read(self.task_def.execution_role)
I'm running into this as well. What's crazy is that because of this issue the example code in the docs isn't even deployable...
It's sad that this issue is not receiving attention. When you read the doc you think it will just work but it just make your deployment wait forever for the service to get running... And it never happens. I ended up with the same kind of workaround : manually create a S3 asset, use EnvironmentFile.fromBucket in the container, then asset.grantRead on taskDefinition.executionRole.
Also facing same issue, access granted to ECR repo but not to the S3 bucket. Also tried using S3EnvironmentFile
but in vain.
Need a fix for this.
I am deploying a ECS app that uses an Asset Environment File. The ECS task is failing to start because the task execution role is not getting access to the CDK asset bucket, where the environment file is uploaded to.
Things to note:
cdk deploy
of my pipeline - it was created by the first run of the Self Mutate stage (because the pipeline has multiple sources).Granting access to the asset bucket explicitly (by importing it by name) solves the issue, but it is a dirty hack.
I am afraid I do not have a complete minimal example, but maybe my description would be enough.
Let me know if it is not - I will try to think of something.
Environment
This is :bug: Bug Report