8

When trying to deploy my multi-docker application through beanstalk with a dockerrun.aws.json file, where it has secrets, I get an error that I have to specify an executionRoleArn. When I'm looking at the file, it IS defined.

I tried moving it to different spot inside the file, tried to define taskRoleArn too, nothing really works. I couldn't find any hints that it wasn't supported in the aws documentation. I followed this page : https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html

This is my dockerrun.aws.json file partially redacted.

{
    "AWSEBDockerrunVersion": 2,
    "executionRoleArn": "arn:aws:iam::ACCOUNT_ID:role/ecsTaskExecutionRole",
    "containerDefinitions": [{
        ...
        "secrets": [
            {
                "name" : "SOME_ENV",
                "valueFrom" : "arn:aws:ssm:REGION:ACCOUNT_ID:parameter/MY_SECRET" 
            },
        ...
        ],
        ...
     }],
     "volumes": [
       ....
      ]
}

This is the exact error I'm getting while using eb deploy:

ERROR   Service:AmazonECS, Code:ClientException, Message:When you 
are specifying container secrets, you must also specify a value 
for 'executionRoleArn'., 
Class:com.amazonaws.services.ecs.model.ClientException

enter image description here

Lorac
  • 395
  • 1
  • 4
  • 14

3 Answers3

1

At this moment of this post AWS doesn't support EBS with ECS with ecsTaskExecutionRole. The workaround is to have a bash script loaded at login which fetches the env variables from KMS

Lorac
  • 395
  • 1
  • 4
  • 14
0

Here is what I can tell you:

  • there are posts on GitHub which indicate that the AWS API responds with the error message you provided, if no Secrets are defined. [1]
  • the secrets key is relatively new, so it might be unsupported by your version of the eb cli

Could you please check whether you are using the latest version of the eb cli?

References

[1] https://github.com/aws/aws-sdk-go/issues/2370#issuecomment-449780818

Martin Löper
  • 6,471
  • 1
  • 16
  • 40
0

Note: this solution is for ECS Task Definition & may not be correct solution for the original problem - I learned this from comments (thanks @JoeSadoski). Leaving this solution here as people may find it useful

As of May 2022, this is what you need to do:

  1. Ensure you have defined ecsTaskExecutionRole (follow these steps to check and add if it doesn't exist: https://docs.aws.amazon.com/AmazonECS/latest/userguide/task_execution_IAM_role.html

  2. Add required permissions to access AWS Systems Manager: https://docs.aws.amazon.com/AmazonECS/latest/userguide/specifying-sensitive-data-parameters.html OR Secrets Manager: https://docs.aws.amazon.com/AmazonECS/latest/userguide/private-auth.html#private-auth-iam (TIP: I used Resource: "*" in the permissions JSON to allow access to all variables instead of adding each one individually as given in the guides)

Once you add the above, go back to your Task Definition and ensure ecsTaskExecutionRole is set for the Task (right now it needs to be set in a couple of places right below one another!).

Sarang
  • 2,143
  • 24
  • 21
  • Could you perhaps post your Docker.aws.json? I'm trying to follow these steps, and it's not working for me in EB. I'm still experiencing the issue OP is experiencing. – Joe Sadoski Sep 01 '22 at 20:31
  • @JoeSadoski any luck? I'm still getting OP's error. I have setup IAM and am using `executionRoleArn` in the top-level of `Dockerrun.aws.json` (version 2) and it's not being picked up. – Ryan Sep 08 '22 at 01:06
  • Sadly no, I think that the accepted answer for this question is correct and it's not currently supported. I think @Sarang may have accidentally answered this question as if it were an ECS task definition, which does allow this property. My workaround was to use a platform hook to access SSM and dump it to an `.env` file. – Joe Sadoski Sep 10 '22 at 01:16
  • I used [lmX2015's answer here](https://stackoverflow.com/a/69946725/705296), with the only exception being that I used `predeploy` instead of `prebuild`, as the timing makes more sense. EB also has `appdeploy`, which I might end up using instead. https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/custom-platform-hooks.html – Joe Sadoski Sep 10 '22 at 01:20