Deploying imgproxy to AWS with Fargate

Question

I would like to deploy imgproxy to AWS using Fargate to serve different sizes/formats of images from an s3 bucket. Ideally also behind Cloudfront.

Imgproxy has a docker image

docker pull darthsim/imgproxy:latest
docker run -p 8080:8080 -it darthsim/imgproxy

and serving from s3 is supported, e.g.:

docker run -p 8080:8080 -e AWS_ACCESS_KEY_ID=XXXX -e AWS_SECRET_ACCESS_KEY=YYYYYYXXX -e IMGPROXY_USE_S3=true -e IMGPROXY_S3_REGION=us-east-1  -it darthsim/imgproxy

Deploy with Fargate

I followed the Fargate wizard and chose "Custom"

The container

I set up the container as follows. Using the imgproxy Docker image and mapping port 8080, which I think is the one it usually runs on?

In the advanced section, I set the command as

docker run -p 8080:8080 -e IMGPROXY_USE_S3=true -e IMGPROXY_S3_REGION=us-east-1  -it darthsim/imgproxy

The task

I left this as the defaults:

The service

For the service, I chose to use a load balancer:

The results

After waiting for the launch to complete, I went to the load balancer and copied the DNS name:

http://.us-east-1.elb.amazonaws.com:8080/

But I got 503 Service Temporarily Unavailable

It seems the task failed to start

Status reason   CannotStartContainerError: Error response from daemon: OCI runtime create failed: container_linux.go:370: starting container process caused: exec: "docker run -p 8080:8080 -e IMGPROXY_USE_S3=true -e IMGPROXY_S3_REGION=us-east-1 -it darthsim/imgproxy": st
Entry point ["docker run -p 8080:8080 -e IMGPROXY_USE_S3=true -e IMGPROXY_S3_REGION=us-east-1 -it darthsim/imgproxy"]
Command ["docker run -p 8080:8080 -e IMGPROXY_USE_S3=true -e IMGPROXY_S3_REGION=us-east-1 -it darthsim/imgproxy"]

Help

I'm looking initially to figure out how to get this deployed in basic form, maybe I need to do more with IAM roles so it doesn't need the AWS creds? Maybe something in the config was not right?

Then I'd also like to figure out how to bring cloudfront into the pictuire too.

fpghost fpghost · Accepted Answer · 2020-12-24T11:06:54

Turns out I was overcomplicating this.

The CMD and ENTRYPOINT can be left blank.

I then simply set the environment variables:

AWS_ACCESS_KEY_ID   
AWS_SECRET_ACCESS_KEY   
IMGPROXY_S3_REGION
IMGPROXY_USE_S3 true

After waiting then for the task to go from PENDING to RUNNING, I can go copy the DNS name of the load balancer and be greeted by the imgproxy "hello" page.

The IAM Role vs creds

I didn't get this working via an IAM role for the task. I tried giving the ecsTaskExecutionRole s3 read permissions, but in the absence of AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in the container environment imgproxy complained about missing creds.

In the end I just created a user with an s3 policy allowing read access to the relevant s3 bucket and copied the id and access key to the environment as per above.

If anyone knows how to get an IAM role working that would be nice to know.

Cloudfront

This was just a case of setting the cloudfront origin to be load balancer for the cluster and setting its http port to be 8080 to match imgproxy.

Signed URLs

Just need to add the following to the environment variables

IMGPROXY_KEY
IMGPROXY_SALT

and they can be generated with echo $(xxd -g 2 -l 64 -p /dev/random | tr -d '\n').

After setting these, the simple /insecure URL will not work.

In Python the signed url can be generated from the imgproxy example code. Note that here the url on line 11 should be the s3 url for the image, e.g "s3://somebucket/art/1.png". And you need to replace the key and salt with the hex encoded ones from the ECS environment.