CloudWatch失败调用错误没有可用的日志 [英] Cloudwatch failedinvocation error no logs available
问题描述
我设置了一个Cloudwatch规则事件,其中在完成前一个任务定义后启动ECS任务定义.
I have set up a Cloudwatch rule event where an ECS task definition is started when a previous task definition is completed.
我可以看到事件触发了任务定义,但是失败了.
I can see the event triggers the task definition however it fails.
此失败的唯一可见性是规则指标,在该指标中我看到了指标调用失败.
The only visibility of this failure is in the rule metrics, where I see the metric failedinnvocations.
问题,是否有任何日志可以查看触发失败的原因?
Question, are there any logs to see why the trigger failed?
我可以通过管理控制台手动设置规则,并且一切正常.
I can manually set up the rule via the management console and everything works fine.
当我通过cloudformation模板设置规则时会发生错误.
The error occurs when I set up the rule via a cloudformation template.
我已经比较了这两个规则,除了角色之外,两者都是相同的.但是,这两个角色具有相同的权限.
I have compared the two rules and both are identical, except the role. However, both roles have the same permissions.
推荐答案
这使我们困扰了很多年,主要问题是Nathan B提到的角色问题,但令我们绊倒的另一件事是,Scheduled Containers在 awsvpc
模式(并通过Fargate扩展).这是一个示例CloudFormation模板:
This stumped us for ages, the main issue is the role problem Nathan B mentions but something else that tripped us up is that Scheduled Containers won't work in awsvpc
mode (and by extension Fargate). Here's a sample CloudFormation template:
---
AWSTemplateFormatVersion: 2010-09-09
Description: Fee Recon infrastructure
Parameters:
ClusterArn:
Type: String
Description: The Arn of the ECS Cluster to run the scheduled container on
Resources:
TaskRole:
Type: AWS::IAM::Role
Properties:
Path: /
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Version: 2012-10-17
Policies:
- PolicyName: TaskPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'ses:SendEmail'
- 'ses:SendRawEmail'
Resource: '*'
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
TaskRoleArn: !Ref TaskRole
ContainerDefinitions:
- Name: !Sub my-container
Essential: true
Image: !Sub <aws-account-no>.dkr.ecr.eu-west-1.amazonaws.com/mycontainer
Memory: 2048
Cpu: 1024
CloudWatchEventECSRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- events.amazonaws.com
Action:
- sts:AssumeRole
Path: /
Policies:
- PolicyName: CloudwatchEventsInvokeECSRunTask
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: 'ecs:RunTask'
Resource: !Ref TaskDefinition
TaskSchedule:
Type: AWS::Events::Rule
Properties:
Description: Runs every 10 minutes
Name: ScheduledTask
ScheduleExpression: cron(0/10 * * * ? *)
State: ENABLED
Targets:
- Id: ScheduledEcsTask
RoleArn: !GetAtt CloudWatchEventECSRole.Arn
EcsParameters:
TaskDefinitionArn: !Ref TaskDefinition
TaskCount: 1
Arn: !Ref ClusterArn
注意:我已经将ClusterArn作为参数添加到脚本中,但是当然最好使用CloudFormation ImportValue
语句来执行此操作.
Note: I've added the ClusterArn as a parameter to the script but of course it's better to do this with a CloudFormation ImportValue
statement.
您需要关心两个角色,第一个是任务本身的角色( TaskRole
):在此示例中,容器仅使用SES发送电子邮件,因此它具有必要的权限.第二个角色( CloudWatchEventECSRole
)使这一切都起作用,请注意,在其 Policies
数组中,原理是 events.amazonaws.com
资源是模板中定义的ECS任务.
There are two roles you need to care about, the first is the role (TaskRole
) for the task itself: in this example the container just sends an email using SES so it has the necessary permissions. The second role (CloudWatchEventECSRole
) is the one that makes it all work, note that in its Policies
array the principle is events.amazonaws.com
and the resource is the ECS task defined in the template.
这篇关于CloudWatch失败调用错误没有可用的日志的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!