Follow

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use
Follow
Facebook Twitter Instagram Youtube
Contact

AWS XRAY on Fargate service

byMR
February 7, 2022

I want to add xray to my Fargate service. Everything works (synth/deploy) but in the logs I’am seeing the following error:

2022-02-07T13:38:22Z [Error] Sending segment batch failed with:
AccessDeniedException: 2022-02-07 14:38:22status code: 403, request
id: cdc23f61-5c2e-4ede-8bda-5328e0c8ac8f

The user I’am using to deploy the application has the AWSXrayFullAccess permission.
Do I have to grant the task the permission manually? If so how?

MEDevel.com: Open-source for Healthcare and Education

Collecting and validating open-source software for healthcare, education, enterprise, development, medical imaging, medical records, and digital pathology.

Visit Medevel

Here is a snippet of the application:

const cdk = require('@aws-cdk/core');
const ecs = require('@aws-cdk/aws-ecs');
const ecsPatterns = require('@aws-cdk/aws-ecs-patterns');

class API extends cdk.Stack {
  constructor(parent, id, props) {
    super(parent, id, props);

    this.apiXRayTaskDefinition = new ecs.FargateTaskDefinition(this, 'apixRay-definition', {
      cpu: 256,
      memoryLimitMiB: 512,
    });

    this.apiXRayTaskDefinition.addContainer('api', {
        image: ecs.ContainerImage.fromAsset('./api'),
        environment: {
          "QUEUE_URL": props.queue.queueUrl,
          "TABLE": props.table.tableName,
          "AWS_XRAY_DAEMON_ADDRESS": "0.0.0.0:2000"
        },
        logging: ecs.LogDriver.awsLogs({ streamPrefix: 'api' }),
    }).addPortMappings({
      containerPort: 80
    })

    this.apiXRayTaskDefinition.addContainer('xray', {
      image: ecs.ContainerImage.fromRegistry('public.ecr.aws/xray/aws-xray-daemon:latest'),
      logging: ecs.LogDriver.awsLogs({ streamPrefix: 'xray' }),
    }).addPortMappings({
      containerPort: 2000,
      protocol: ecs.Protocol.UDP,
    });

    // API
    this.api = new ecsPatterns.ApplicationLoadBalancedFargateService(this, 'api', {
      cluster: props.cluster,
      taskDefinition: this.apiXRayTaskDefinition,
      desiredCount: 2,
      cpu: 256,
      memory: 512,
      createLogs: true
    })

    props.queue.grantSendMessages(this.api.service.taskDefinition.taskRole);
    props.table.grantReadWriteData(this.api.service.taskDefinition.taskRole);

  }
}

>Solution :

The user I’am using to deploy the application has the AWSXrayFullAccess permission.

This is irrelevant, the task will not get all the rights of the user that deploys the stack.

Yes, you need to add the required permissions to the task with

this.apiXRayTaskDefinition.taskRole.addManagedPolicy(
    new iam.ManagedPolicy.fromAwsManagedPolicyName('AWSXRayDaemonWriteAccess')
);

References:

AWS managed policy with required access for the X-Ray daemon: https://docs.aws.amazon.com/xray/latest/devguide/security_iam_id-based-policy-examples.html#xray-permissions-managedpolicies

Import an AWS-managed policy: https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-iam.ManagedPolicy.html#static-fromwbrawswbrmanagedwbrpolicywbrnamemanagedpolicyname

Access the task role: https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-ecs.FargateTaskDefinition.html#taskrole-1

Add a policy: https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-iam.IRole.html#addwbrmanagedwbrpolicypolicy

byMR
Published
Add a comment

Leave a Reply

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use

Read more

Discover more from Dev solutions

Subscribe now to keep reading and get access to the full archive.

Continue reading