pulumi-awsx icon indicating copy to clipboard operation
pulumi-awsx copied to clipboard
verified publisher icon pulumi

AccessDeniedException on running fire-and-forget ECS task

Open brainoutsource opened this issue 4 years ago • 3 comments

I'm trying to schedule an AWS ECS task to run every 5 minutes:

import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";

const batchCluster = new awsx.ecs.Cluster("batch-cluster");

const batchPocTask = new awsx.ecs.FargateTaskDefinition("batch-poc", {
    container: {
        image: "alpine",
        memory: 128,
        entryPoint: ["echo", "hello world"]
    },
});

const batchPocTaskHandler: aws.cloudwatch.EventRuleEventHandler = async (event: aws.cloudwatch.EventRuleEvent) => {
    await batchPocTask.run({cluster: batchCluster})
}

const batchPocScheduleTask: aws.cloudwatch.EventRuleEventSubscription = aws.cloudwatch.onSchedule(
    "batch-poc-schedule",
    "cron(*/5 * * * ? *)",
    batchPocTaskHandler
)

Current behavior

Deployment with pulumi up is successful, but when I check the batch-poc-schedule lambda CloudWatch log after an expected scheduled run, I see:

{
    "errorType": "AccessDeniedException",
    "errorMessage": "User: arn:aws:sts::554523412554:assumed-role/batch-poc-schedule-a1297ba/batch-poc-schedule-325ae24 is not authorized to perform: ecs:RunTask on resource: arn:aws:ecs:us-east-1:554523412554:task-definition/batch-poc-aece9bcd:1",
    "code": "AccessDeniedException",
    "message": "User: arn:aws:sts::554523412554:assumed-role/batch-poc-schedule-a1297ba/batch-poc-schedule-325ae24 is not authorized to perform: ecs:RunTask on resource: arn:aws:ecs:us-east-1:554523412554:task-definition/batch-poc-aece9bcd:1",
    "time": "2021-04-08T10:05:54.888Z",
    "requestId": "978fa4d1-33fb-486e-98e6-1c9d44526469",
    "statusCode": 400,
    "retryable": false,
    "retryDelay": 3.7942372227858234,
    "stack": [
        "AccessDeniedException: User: arn:aws:sts::554523412554:assumed-role/batch-poc-schedule-a1297ba/batch-poc-schedule-325ae24 is not authorized to perform: ecs:RunTask on resource: arn:aws:ecs:us-east-1:554523412554:task-definition/batch-poc-aece9bcd:1",
        "    at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:52:27)",
        "    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)",
        "    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)",
        "    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)",
        "    at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)",
        "    at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)",
        "    at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10",
        "    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)",
        "    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)",
        "    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)"
    ]
}

brainoutsource avatar Apr 08 '21 10:04 brainoutsource

To execute the ECS task on EventRule the best way is write the eventRule and eventTarget, e.g:

import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";

const batchCluster = new awsx.ecs.Cluster("batch-cluster");

const batchPocTask = new awsx.ecs.FargateTaskDefinition("batch-poc", {
    container: {
        image: "alpine",
        memory: 128,
        entryPoint: ["echo", "hello world"]
    },
});

const eventRule = new aws.cloudwatch.EventRule('event-rule', {
    scheduleExpression: 'cron(*/5 * * * ? *)',
    description: 'Trigger ECS Task ',
  });
  
  const role = new aws.iam.Role('role', {
  name: config.name,
  assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({
    Service: 'ecs-tasks.amazonaws.com',
  })
});

aws.iam.RolePolicyAttachment('policy-ecs', {
    policyArn: 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole',
    role: role,
  });

  new aws.cloudwatch.EventTarget('event-target', {
    arn: batchCluster.cluster.arn,
    rule: eventRule.name,
    roleArn: role.arn,
    ecsTarget: {
      taskCount: 1,
      taskDefinitionArn: batchPocTask.taskDefinition.arn,
    },
  });

felipegirotti avatar Feb 04 '22 21:02 felipegirotti

@felipegirotti that's what I had to do as well, but I was hoping for the nice API of await task({cluster: myCluster}) to work.

brainoutsource avatar Feb 08 '22 11:02 brainoutsource

Unfortunately, it looks like this issue hasn't seen any updates in a while. If you're still experiencing this issue, could you leave a quick comment to let us know so we can prioritize it?

github-actions[bot] avatar Jul 25 '25 04:07 github-actions[bot]