amazon-ecs
Should I use AWS Elastic Beanstalk or the Amazon EC2 Container Service (ECS) to scale Docker containers?
EB vs ECS really comes down to control. Do you want to control your scaling and capacity or do you want to have that more abstracted and instead focus primarily on your app. ECS will give you control, as you have to specify the size and number of nodes in the cluster and whether or … Read more
How to verify JWT from AWS Cognito in the API backend?
Turns out I didn’t read the docs right. It’s explained here (scroll down to “Using ID Tokens and Access Tokens in your Web APIs”). The API service can download Cognito’s secrets and use them to verify received JWT’s. Perfect. Edit @Groady’s comment is on point: but how do you validate the tokens? I’d say use … Read more
ECR cross-account pull permissions
You also need to configure permissions in the ECR for cross account access. To give pull access to the ECR of Account A to Account B, put the following JSON policy in the ECR Permissions tab. { “Version”: “2008-10-17”, “Statement”: [ { “Sid”: “AllowCrossAccountPull”, “Effect”: “Allow”, “Principal”: { “AWS”: “arn:aws:iam::aws_account_b_number:root” }, “Action”: [ “ecr:GetDownloadUrlForLayer”, “ecr:BatchCheckLayerAvailability”, … Read more
ValidationError Stack:arn aws cloudformation stack is in ROLLBACK_COMPLETE state and can not be updated
This happens when stack creation fails. By default the stack will remain in place with a status of ROLLBACK_COMPLETE. This means it’s successfully rolled back (deleted) all the resources which the stack had created. The only thing remaining is the empty stack itself. You cannot update this stack; you must manually delete it, after which … Read more
Difference between AWS Elastic Container Service’s (ECS) ExecutionRole and TaskRole
Referring to the documentation you can see that the execution role is the IAM role that executes ECS actions such as pulling the image and storing the application logs in cloudwatch. The TaskRole then, is the IAM role used by the task itself. For example, if your container wants to call other AWS services like … Read more
Aws ecs fargate ResourceInitializationError: unable to pull secrets or registry auth
AWS employee here. What you are seeing is due to a change in how networking works between Fargate platform version 1.3.0, and Fargate platform version 1.4.0. As part of the change from using Docker to using containerd we also made some changes to how networking works. In version 1.3.0 and below each Fargate task got … Read more
CannotPullContainerError on AWS ECS
The registry url is … blank. Just the same as the docker command line, if you give ECS an image with no repository url: eventstore/eventstore it will pull it from dockerhub. (This surprised me too. I spend half an hour searching the interwebs for a url for dockerhub before trying this).
ECS cluster has no ecs instances but two ecs instances are visible in EC2
You indicated in your comment that the instances have no public IP addresses. I’m extrapolating from that comment that your instances likely have no route to the Internet as well. In order to use ECS, your instances need to have a route to reach (at a minimum) the ECS service endpoints. A route to the … Read more
AWS ECS Error when running task: No Container Instances were found in your cluster
I figured this out after a few more hours of investigating. Amazon, if you are listening, you should state this somewhere in your management console when creating a cluster or adding instances to the cluster: “Before you can add ECS instances to a cluster you must first go to the EC2 Management Console and create … Read more