Home > other >  AWS XRAY on Fargate service
AWS XRAY on Fargate service

Time:02-08

I want to add xray to my Fargate service. Everything works (synth/deploy) but in the logs I'am seeing the following error:

2022-02-07T13:38:22Z [Error] Sending segment batch failed with: AccessDeniedException: 2022-02-07 14:38:22status code: 403, request id: cdc23f61-5c2e-4ede-8bda-5328e0c8ac8f

The user I'am using to deploy the application has the AWSXrayFullAccess permission. Do I have to grant the task the permission manually? If so how?

Here is a snippet of the application:

const cdk = require('@aws-cdk/core');
const ecs = require('@aws-cdk/aws-ecs');
const ecsPatterns = require('@aws-cdk/aws-ecs-patterns');

class API extends cdk.Stack {
  constructor(parent, id, props) {
    super(parent, id, props);

    this.apiXRayTaskDefinition = new ecs.FargateTaskDefinition(this, 'apixRay-definition', {
      cpu: 256,
      memoryLimitMiB: 512,
    });

    this.apiXRayTaskDefinition.addContainer('api', {
        image: ecs.ContainerImage.fromAsset('./api'),
        environment: {
          "QUEUE_URL": props.queue.queueUrl,
          "TABLE": props.table.tableName,
          "AWS_XRAY_DAEMON_ADDRESS": "0.0.0.0:2000"
        },
        logging: ecs.LogDriver.awsLogs({ streamPrefix: 'api' }),
    }).addPortMappings({
      containerPort: 80
    })

    this.apiXRayTaskDefinition.addContainer('xray', {
      image: ecs.ContainerImage.fromRegistry('public.ecr.aws/xray/aws-xray-daemon:latest'),
      logging: ecs.LogDriver.awsLogs({ streamPrefix: 'xray' }),
    }).addPortMappings({
      containerPort: 2000,
      protocol: ecs.Protocol.UDP,
    });

    // API
    this.api = new ecsPatterns.ApplicationLoadBalancedFargateService(this, 'api', {
      cluster: props.cluster,
      taskDefinition: this.apiXRayTaskDefinition,
      desiredCount: 2,
      cpu: 256,
      memory: 512,
      createLogs: true
    })

    props.queue.grantSendMessages(this.api.service.taskDefinition.taskRole);
    props.table.grantReadWriteData(this.api.service.taskDefinition.taskRole);

  }
}

CodePudding user response:

The user I'am using to deploy the application has the AWSXrayFullAccess permission.

This is irrelevant, the task will not get all the rights of the user that deploys the stack.

Yes, you need to add the required permissions to the task with

this.apiXRayTaskDefinition.taskRole.addManagedPolicy(
    iam.ManagedPolicy.fromAwsManagedPolicyName('AWSXRayDaemonWriteAccess')
);

References:

AWS managed policy with required access for the X-Ray daemon: https://docs.aws.amazon.com/xray/latest/devguide/security_iam_id-based-policy-examples.html#xray-permissions-managedpolicies

Import an AWS-managed policy: https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-iam.ManagedPolicy.html#static-fromwbrawswbrmanagedwbrpolicywbrnamemanagedpolicyname

Access the task role: https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-ecs.FargateTaskDefinition.html#taskrole-1

Add a policy: https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-iam.IRole.html#addwbrmanagedwbrpolicypolicy

Page link:https//www.codepudding.com/other/292148.html

Prev:TypeError: Cannot read properties of undefined (reading 'createMessageComponentCollector')
Next:How to find Records between startDate and endDate - Nodejs, mongodb
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding