CloudWatch失败调用错误没有可用的日志 [英] Cloudwatch failedinvocation error no logs available
问题描述
我设置了一个Cloudwatch规则事件,其中在完成前一个任务定义后启动ECS任务定义.
I have set up a Cloudwatch rule event where an ECS task definition is started when a previous task definition is completed.
我可以看到事件触发了任务定义,但是失败了.
I can see the event triggers the task definition however it fails.
此失败的唯一可见性是规则指标,在该指标中我看到了指标调用失败.
The only visibility of this failure is in the rule metrics, where I see the metric failedinnvocations.
问题,是否有任何日志可以查看触发失败的原因?
Question, are there any logs to see why the trigger failed?
我可以通过管理控制台手动设置规则,并且一切正常.
I can manually set up the rule via the management console and everything works fine.
当我通过cloudformation模板设置规则时会发生错误.
The error occurs when I set up the rule via a cloudformation template.
我已经比较了这两个规则,除了角色之外,两者都是相同的.但是,这两个角色具有相同的权限.
I have compared the two rules and both are identical, except the role. However, both roles have the same permissions.
推荐答案
这使我们困扰了很多年,主要问题是Nathan B提到的角色问题,但令我们绊倒的另一件事是,Scheduled Containers在 awsvpc 模式(并通过Fargate扩展).这是一个示例CloudFormation模板:
This stumped us for ages, the main issue is the role problem Nathan B mentions but something else that tripped us up is that Scheduled Containers won't work in awsvpc mode (and by extension Fargate). Here's a sample CloudFormation template:
---
AWSTemplateFormatVersion: 2010-09-09
Description: Fee Recon infrastructure
Parameters:
ClusterArn:
Type: String
Description: The Arn of the ECS Cluster to run the scheduled container on
Resources:
TaskRole:
Type: AWS::IAM::Role
Properties:
Path: /
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Version: 2012-10-17
Policies:
- PolicyName: TaskPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'ses:SendEmail'
- 'ses:SendRawEmail'
Resource: '*'
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
TaskRoleArn: !Ref TaskRole
ContainerDefinitions:
- Name: !Sub my-container
Essential: true
Image: !Sub <aws-account-no>.dkr.ecr.eu-west-1.amazonaws.com/mycontainer
Memory: 2048
Cpu: 1024
CloudWatchEventECSRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- events.amazonaws.com
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: CloudwatchEventsInvokeECSRunTask
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: 'ecs:RunTask'
Resource: !Ref TaskDefinition
TaskSchedule:
Type: AWS::Events::Rule
Properties:
Description: Runs every 10 minutes
Name: ScheduledTask
ScheduleExpression: cron(0/10 * * * ? *)
State: ENABLED
Targets:
- Id: ScheduledEcsTask
RoleArn: !GetAtt CloudWatchEventECSRole.Arn
EcsParameters:
TaskDefinitionArn: !Ref TaskDefinition
TaskCount: 1
Arn: !Ref ClusterArn
注意:我已经将ClusterArn作为参数添加到脚本中,但是当然最好使用CloudFormation ImportValue 语句来执行此操作.
Note: I've added the ClusterArn as a parameter to the script but of course it's better to do this with a CloudFormation ImportValue statement.
您需要关心两个角色,第一个是任务本身的角色( TaskRole ):在此示例中,容器仅使用SES发送电子邮件,因此它具有必要的权限.第二个角色( CloudWatchEventECSRole )使这一切都起作用,请注意,在其 Policies 数组中,原理是 events.amazonaws.com 资源是模板中定义的ECS任务.
There are two roles you need to care about, the first is the role (TaskRole) for the task itself: in this example the container just sends an email using SES so it has the necessary permissions. The second role (CloudWatchEventECSRole) is the one that makes it all work, note that in its Policies array the principle is events.amazonaws.com and the resource is the ECS task defined in the template.
这篇关于CloudWatch失败调用错误没有可用的日志的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
