ECS Windows Optimized AMI Enable IAM Tasks Roles

0
votes

I need enable task roles for windows containers. My cluster was launched via ECS Console:

AMI: Windows_Server-2019-English-Full-ECS_Optimized-2020.12.11 UserData (Changed for the original created via ECS Console):

<powershell>
[Environment]::SetEnvironmentVariable("ECS_ENABLE_TASK_IAM_ROLE", $TRUE, "Machine")
[Environment]::SetEnvironmentVariable("ECS_ENABLE_TASK_IAM_ROLE_NETWORK_HOST", $TRUE, "Machine")
Initialize-ECSAgent -Cluster cluster -EnableTaskIAMRole -LoggingDrivers '["json-file","awslogs"]'
</powershell>

EC2 Role: Full Admin

Security Group: All TCP Open

ECS Agent Log:

Proxy Credentials rules are created:

2021-01-14T11:16:56Z - [INFO]:Firewall rule found.  
Name                           Value                                                                                   
----                           -----                                                                                   
Direction                      Inbound                                                                                 
LocalPort                      51679                                                                                   
DisplayName                    Allow Inbound Port 51679                                                                
Protocol                       TCP                                                                                     
Action                         Allow    


2021-01-14T11:16:56Z - [INFO]:Firewall rule found.  
Name                           Value                                                                                   
----                           -----                                                                                   
Action                         Allow                                                                                   
DisplayName                    Allow Inbound 169.254.170.2:80                                                          
LocalPort                      80                                                                                      
Direction                      Inbound                                                                                 
LocalAddress                   169.254.170.2                                                                           
Protocol                       TCP            

2021-01-14T11:17:01Z - [INFO]:netsh interface portproxy show all
2021-01-14T11:17:01Z - [INFO]:
2021-01-14T11:17:01Z - [INFO]:Setting up new ipv4 interface proxy to forward traffic...
2021-01-14T11:17:01Z - [INFO]:  from 169.254.170.2:80
2021-01-14T11:17:01Z - [INFO]:  to 127.0.0.1:51679
2021-01-14T11:17:01Z - [INFO]:
2021-01-14T11:17:01Z - [INFO]:Checking port forwarding...
2021-01-14T11:17:04Z - [INFO]:netsh interface portproxy show all
2021-01-14T11:17:04Z - [INFO]:
2021-01-14T11:17:04Z - [INFO]:Listen on ipv4:             Connect to ipv4:
2021-01-14T11:17:04Z - [INFO]:
2021-01-14T11:17:04Z - [INFO]:Address         Port        Address         Port
2021-01-14T11:17:04Z - [INFO]:--------------- ----------  --------------- ----------
2021-01-14T11:17:04Z - [INFO]:169.254.170.2   80          127.0.0.1       51679
2021-01-14T11:17:04Z - [INFO]:
2021-01-14T11:17:04Z - [INFO]:TcpTestSucceeded: True
2021-01-14T11:17:04Z - [INFO]:Port forwarding setup complete.
2021-01-14T11:17:04Z - [INFO]:ECS Host setup complete.
2021-01-14T11:17:04Z - [INFO]:Creating Initialize-ECSHostReboot ScheduledTask
2021-01-14T11:17:05Z - [INFO]:ScheduledTask Initialize-ECSHostReboot created.
2021-01-14T11:17:05Z - [INFO]:Task IAM role is enabled. Changing AmazonECS service startup to Manual.

Troubleshooting Commands:

Command: netsh interface portproxy show all

Listen on ipv4:             Connect to ipv4:

Address         Port        Address         Port
--------------- ----------  --------------- ----------
169.254.170.2   80          127.0.0.1       51679


Command: netstat -an | select-string 169.254.170.2

  TCP    169.254.170.2:80       0.0.0.0:0              LISTENING


Command: ping 169.254.170.2
Pinging 169.254.170.2 with 32 bytes of data:
Reply from 169.254.170.2: bytes=32 time<1ms TTL=128
Reply from 169.254.170.2: bytes=32 time<1ms TTL=128
Reply from 169.254.170.2: bytes=32 time<1ms TTL=128

Expected Behavior: My ECS Instance Get the attribute: com.amazonaws.ecs.capability.task-iam-role to be able run the task

Observed Behavior: The ECS Instance don't get the attribute.

Any help is kindly appreciated.

Many Thanks

1
amazon-web-servicesamazon-ecs

1 Answers

0
votes

After more research i ran the aws ecs list-attributes and i have noticed the com.amazonaws.ecs.capability.task-iam-role is ok and the attribute is missing is ecs.capability.execution-role-awslogs and with the ECS_ENABLE_AWSLOGS_EXECUTIONROLE_OVERRIDE envonriment variable fixed de problem.