You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a Fargate Task container where it cannot do basic S3 and STS operations with the credentials that boto3 is using. I have confirmed that the Task has a Task Role with the appropriate permissions and frankly, I have another AWS Account with these same CloudFormation templates running perfectly. This has never happened before.
When I manually assume the Task Role locally and provide those credentials to the container via environment variables, everything works perfectly. I am not sure how to tell that the credentials were properly set for the task role but they don't work in the container and they don't work locally either (I tried).
In fact, I also created a boto3 session and used those frozen credentials... same result. For example, accessing STS operation GetCallerIdentity yielded error InvalidClientTokenId. But, again, providing the task role credentials manually worked.
Expected Behavior
boto3 should get valid credentials on its own from the metadata endpoint and those credentials should have the same access as the ECS task role
Current Behavior
The credentials are invalid despite the fact that the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable is set (i.e. value of /v2/credentials/f11cb8c1-606f-4e1d-8f1a-20f62ad276bb) and the fact that there are no container logs which state the metadata endpoint cannot be reached.
DEBUG:botocore.hooks:Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
DEBUG:botocore.hooks:Changing event name from docs..autoscaling.CreateLaunchConfiguration.complete-section to docs..auto-scaling.CreateLaunchConfiguration.complete-section
ERROR: �09:55:38 api:146 [816ed0b255b148ba8697110a594140db] An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid
Describe the bug
I have a Fargate Task container where it cannot do basic S3 and STS operations with the credentials that boto3 is using. I have confirmed that the Task has a Task Role with the appropriate permissions and frankly, I have another AWS Account with these same CloudFormation templates running perfectly. This has never happened before.
When I manually assume the Task Role locally and provide those credentials to the container via environment variables, everything works perfectly. I am not sure how to tell that the credentials were properly set for the task role but they don't work in the container and they don't work locally either (I tried).
In fact, I also created a boto3 session and used those frozen credentials... same result. For example, accessing STS operation
GetCallerIdentity
yielded errorInvalidClientTokenId
. But, again, providing the task role credentials manually worked.Expected Behavior
boto3 should get valid credentials on its own from the metadata endpoint and those credentials should have the same access as the ECS task role
Current Behavior
The credentials are invalid despite the fact that the
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
environment variable is set (i.e. value of/v2/credentials/f11cb8c1-606f-4e1d-8f1a-20f62ad276bb
) and the fact that there are no container logs which state the metadata endpoint cannot be reached.Reproduction Steps
Fargate 1.4
CloudFormation snippet:
Possible Solution
No response
Additional Information/Context
CloudWatch logs from the STS call:
CloudWatch Logs Live tail
Region: eu-west-1
Log group name(s): arn:aws:logs:eu-west-1:891377041103:log-group:/platform/apps/auth/svc:*
Log stream name(s): /ecs/platform-apps-auth-svc-container/84a1f513a5ea4896b732137881bc2efa
Log stream prefix:
Filter pattern:
InvalidClientTokenId
\n The security token included in the request is invalid\n \n eb5e29aa-718f-4f78-99bd-8f25795b0fec\n\n'SDK version used
1.34.53
Environment details (OS name and version, etc.)
Fargate 1.4
The text was updated successfully, but these errors were encountered: