fix(stepfunctions-tasks): missing permissions for running tasks on ecs #27891
Conversation
github-actions
bot
added
admired-contributor
| CMD python3 index.py | ||
| FROM --platform=x86-64 public.ecr.aws/docker/library/python:3.12 | ||
| ADD index.py . | ||
| CMD [ "python3", "./index.py" ] |
There was a problem hiding this comment.
I needed --platform=x86-64 since I am building on a Mac M2.
There was a problem hiding this comment.
Instead of changing the image have you tried changing CMD:
CMD [ "index.handler" ]
and defining a handler function in index.py:
import os
import print
def handler(event, context):
print('Hello from ECS!')
pprint.pprint(dict(os.environ))
?
There was a problem hiding this comment.
I did try that but didn't spend a bunch of time on it. I can revisit.. but my thinking is, why is it a Lambda image when this is running on ECS and not in Lambda?
There was a problem hiding this comment.
Good point, thanks for clarifying.
| resources: [this.getTaskDefinitionFamilyArn()], | ||
| resources: [ | ||
| this.getTaskDefinitionFamilyArn(), | ||
| `${this.getTaskDefinitionFamilyArn()}:*`, |
There was a problem hiding this comment.
Drawing attention to the bits that add permission to run versions of the task definition.
aws-cdk-automation
added
the
pr/needs-community-review
...@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.ts
Outdated
Show resolved
Hide resolved
...ges/@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.ec2-task.ts
Outdated
Show resolved
Hide resolved
...-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-run-task.ts
Outdated
Show resolved
Hide resolved
...@aws-cdk-testing/framework-integ/test/aws-stepfunctions-tasks/test/ecs/integ.fargate-task.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts
Outdated
Show resolved
Hide resolved
| CMD python3 index.py | ||
| FROM --platform=x86-64 public.ecr.aws/docker/library/python:3.12 | ||
| ADD index.py . | ||
| CMD [ "python3", "./index.py" ] |
There was a problem hiding this comment.
Instead of changing the image have you tried changing CMD:
CMD [ "index.handler" ]
and defining a handler function in index.py:
import os
import print
def handler(event, context):
print('Hello from ECS!')
pprint.pprint(dict(os.environ))
?
aws-cdk-automation
removed
the
pr/needs-community-review
| CMD python3 index.py | ||
| FROM --platform=x86-64 public.ecr.aws/docker/library/python:3.12 | ||
| ADD index.py . | ||
| CMD [ "python3", "./index.py" ] |
There was a problem hiding this comment.
Good point, thanks for clarifying.
aws-cdk-automation
added
the
pr/needs-maintainer-review
There was a problem hiding this comment.
Hey @msambol , this is great. Just a clarification comment.
There was a problem hiding this comment.
Could you tell me why some of these were removed?
And if we can remove --platform=x86-64?
There was a problem hiding this comment.
We don't need some of these commands in the Dockerfile.
I needed --platform=x86-64 because I am building on an M2 and got an architecture mismatch. Unless I'm doing something wrong?
There was a problem hiding this comment.
I'm not too familiar with Docker but I'm also concerned with this. What about other users who are not on an M2 but on a computer incompatible with this platform? Maybe @mrgrain can weigh in further because I'm not well-versed myself in Docker stuff.
There was a problem hiding this comment.
@mrgrain Have some time to look at this?
There was a problem hiding this comment.
@msambol What is the exact error you are getting?
There was a problem hiding this comment.
@mrgrain I'm not sure if I was doing something wrong or something changed, but it's working now without "platform" 😅
There was a problem hiding this comment.
@mrgrain wait... I think this is still an issue. I get exec /usr/local/bin/python3: exec format error when I run the task without --platform=linux/amd64. Let me keep testing..
|
@vinayak-kukreja Any additional feedback on this? |
msambol
force-pushed
the
sfn-tasks-tests
branch
from
8478c8a to
9306e0f
Compare
msambol
force-pushed
the
sfn-tasks-tests
branch
from
9306e0f to
fb37482
Compare
|
@mrgrain Have time for another look at this one ? |
|
@mrgrain Mind taking another look here? |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
aws-cdk-automation
removed
the
pr/needs-maintainer-review
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
#27891) While working on [#27803](#27803), I noticed the integration tests for `aws-stepfunctions-tasks/ecs` were not fully working (they deployed but the state machines did not run successfully). This PR addresses two issues: 1. Missing permissions for `ecs:RunTask` on the task definition version. <img width="1587" alt="sfn-role" src="https://github.com/aws/aws-cdk/assets/3310356/13a0d402-8cbb-4852-9708-290f3a3b6711"> 2. The sample container was from a Lambda image. This resulted in the following error: `entrypoint requires the handler name to be the first argument`. I changed the image to `docker/library/python:3.12`. These changes result in the successful execution of all four state machines in `aws-stepfunctions-tasks/ecs`. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Updates for the changes introduced in AWS CDK v2.128.0. See: - https://github.com/aws/aws-cdk/releases/tag/v2.128.0 - aws/aws-cdk#27891
While working on #27803, I noticed the integration tests for
aws-stepfunctions-tasks/ecswere not fully working (they deployed but the state machines did not run successfully). This PR addresses two issues:ecs:RunTaskon the task definition version.entrypoint requires the handler name to be the first argument. I changed the image todocker/library/python:3.12.These changes result in the successful execution of all four state machines in
aws-stepfunctions-tasks/ecs.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license