(pipelines): ECS task execution role is not given access to the env file

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code

https://aws.amazon.com/cdk

Apache License 2.0

11.55k stars 3.87k forks source link

(pipelines): ECS task execution role is not given access to the env file #15763

Open gshpychka opened 3 years ago

gshpychka commented 3 years ago

I am deploying a ECS app that uses an Asset Environment File. The ECS task is failing to start because the task execution role is not getting access to the CDK asset bucket, where the environment file is uploaded to.

Things to note:

The deployment is cross-region, but in the same account
There was no Asset stage when I did the initial cdk deploy of my pipeline - it was created by the first run of the Self Mutate stage (because the pipeline has multiple sources).

Granting access to the asset bucket explicitly (by importing it by name) solves the issue, but it is a dirty hack.

I am afraid I do not have a complete minimal example, but maybe my description would be enough.

Let me know if it is not - I will try to think of something.

Environment

CDK CLI Version : 1.115
Framework Version: 1.115
Node.js Version: 16.5.0
OS : Linux
Language (Version): all

This is :bug: Bug Report

ryparker commented 3 years ago

Hey @gshpychka :wave:

Could you provide an example of how you're initializing the ECS task and role? Could you also provide the failure message you're seeing?

Also double check your CDK bootstrap is setup correctly according to the docs.

If you're using the legacy bootstrap then it may be a problem with the user profile you're using to deploy the CDK code. For example your user may need to be granted access to s3:ListBucket in order to find the bucket.

gshpychka commented 3 years ago

A basic example:

      task_definition = ecs.Ec2TaskDefinition(
          self,
          id="ec2_task"
      )
      env_file = ecs.AssetEnvironmentFile.from_asset(
          path=config_path
      )
      container_image = ecs.ContainerImage.from_asset(directory=container_path)

      container_definition = ecs.ContainerDefinition(
          self,
          "container",
          task_definition=task_definition,
          environment_files=[env_file],
          image=container_image,
      )
      ecs_service = ecs.Ec2Service(
          self,
          "service",
          task_definition=task_definition,
          cluster=cluster
      )

Is my expectation correct that the CDK should grant the task execution role access to the environment file (that's in the asset bucket)?

adeelamin15 commented 2 years ago

Happening with me as well. I cannot grant access to S3 bucket created by CDK to host EnvironmentFile . Documentation suggests to use asset.grantRead(principal) to grant read access but there is not much method defined for the class.

Another issue is that when I create AssetEnvironmentFile with readers argument having list of ECS execution role as grantable it gives undefined as grantable because I cannot get task execution role object until I haven't added any container definition on the task

github-actions[bot] commented 1 year ago

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

adeelamin15 commented 1 year ago

For work around one get bucket name and manually issue grant_read Assuming self.task_def holds task definition instance of the ECS task, this code snippet can grant task execution role access to environment file bucket.

        self.env_file_bucket = s3.Bucket.from_bucket_name(
            self,
            "env_file-bucket",
            self.task_def.default_container.environment_files[0].s3_location.bucket_name,
        )
        self.env_file_bucket.grant_read(self.task_def.execution_role)

AndrewGuenther commented 1 year ago

I'm running into this as well. What's crazy is that because of this issue the example code in the docs isn't even deployable...

eddy-minet-holis commented 8 months ago

It's sad that this issue is not receiving attention. When you read the doc you think it will just work but it just make your deployment wait forever for the service to get running... And it never happens. I ended up with the same kind of workaround : manually create a S3 asset, use EnvironmentFile.fromBucket in the container, then asset.grantRead on taskDefinition.executionRole.

redkhalil commented 3 months ago

Also facing same issue, access granted to ECR repo but not to the S3 bucket. Also tried using S3EnvironmentFile but in vain. Need a fix for this.