ECS Fargate Scheduled Task not running
Solution 1
Although it's been over an year, AWS still don't have a proper way to see invocation logs.
As you already know we can invoke tasks by RunTask
manually, so does Scheduled Task.
The only difference is that Scheduled Task is triggered by CloudWatch rules.
We can easily see invoke logs in CloudTrail Event history
, go there and filter events with Event name: RunTask
and select the time range you want to check, find the event and click View Event
, you'll see the error code and response.
Solution 2
I ran into a similar issue where regular ECS Scheduled Tasks were not running.
I finally resolved it by adding an additional policy to ecsEventsRole
which allows CloudWatch Events to pass IAM roles to ECS Tasks:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListInstanceProfiles",
"iam:ListRoles",
"iam:PassRole"
],
"Resource": "*"
}
]
}
Solution 3
Here is a possible workaround: use a lambda function as target for the cloudwatch rule and create the task in the lambda function code.
Here is an example code for the lambda function: https://lobster1234.github.io/2017/12/03/run-tasks-with-aws-fargate-and-lambda/
The links describes how to pack the new boto version with the lambda function but this is not necessary anymore since AWS already updated the lambda boto version to 1.4.8
I've tested and it works.
Solution 4
When defining a Rule in CloudFormation, I had to ensure that the Target RoleArn property referenced ecsEventsRole
:
Targets:
- Id: !Sub ${AWS::StackName}-cron-test-1
Arn: arn:aws:ecs:eu-west-1:<account id>:cluster/fargate-cluster
RoleArn: !Join
- ':'
- - "arn:aws:iam"
- ""
- !Ref "AWS::AccountId"
- "role/ecsEventsRole"
And where ecsEventsRole
defined the AmazonEC2ContainerServiceEventsRole policy
Related videos on Youtube
coolboyjules
Crypto technician/researcher, full-stack developer, and co-founder/CTO @ NextGen Blockchain Technologies.
Updated on September 15, 2022Comments
-
coolboyjules over 1 year
I'm trying to setup a scheduled task with ECS Fargate but I cannot figure out why it is not running. I can confirm the task works correctly using
RunTask
but when I try to trigger it on a schedule all I get is a bunch of 'FailedInvocations' with no explanation.I do know though that the rule is being triggered so this is a good sign. See the screenshot below:
But everytime it is triggered there is just a 'FailedInvocation'. Here's the scheduling rule:
And the default permissions on the
ecsEventRole
with justecs:runTask
:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:RunTask" ], "Resource": [ "*" ] } ] }
My hunch says that this
ecsEventsRole
doesn't have enough permissions. Should I try to give it the ones thatecsTaskExecutionRole
has?Thanks
EDIT: This is now supported in
us-east-1
region. See comments.-
Marc Young over 6 yearsAny updates? I'm at exactly the same spot and stuck
-
coolboyjules over 6 yearsNope. I'm still stuck :( Given up on all options.
-
Marc Young over 6 yearsI talked to AWS support, its not supported yet. No ETA
-
coolboyjules over 6 yearsBrutal. Thanks Marc
-
simon almost 6 years@MarcYoung exactly what is not supported?
-
Marc Young almost 6 yearsScheduled Fargate tasks are not supported. Only EC2 scheduled ecs tasks
-
FBryant87 over 5 yearsFargate tasks are now supported: aws.amazon.com/about-aws/whats-new/2018/08/…
-
coolboyjules over 5 yearsWorks in us-east-1, but unavailable in ca-central-1. Assuming there are other problem regions.
-
-
Chris about 6 yearsI think this is hitting a few people because the first bit of documentation (docs.aws.amazon.com/AmazonECS/latest/developerguide/…) says 'You must add iam:PassRole permissions for any task role overrides to the CloudWatch IAM role', but it turns out that the task needs it to use a role already applied (explained in a different area of the documentation docs.aws.amazon.com/AmazonECS/latest/developerguide/… - 'If your scheduled tasks require the use of the task execution role or a task role override, then you must add iam:PassRole permissions').
-
Marc Young almost 6 yearsThats what I was trying to avoid but ended up with
-
coolboyjules almost 6 yearsI ended up using this. Probably the most reasonable solution presently.
-
tanvi over 5 yearsmake sure to edit the security group, subnet and account ID strings before running it - they're just placeholders in the command i used above.
-
gileri over 5 yearsIn addition to ecs:RunTask, I only needed iam:PassRole on both the Task Role and Task Execution role resources.
-
鄭元傑 over 3 yearsAfter I combined top 2 answer, added
ecs:RunTask
and"iam:ListInstanceProfiles", "iam:ListRoles", "iam:PassRole"
to the cloudwatch event iam role, finally the task run successfully. -
Stephen Wright almost 3 yearsThis is actually the correct answer. Errors in the actual config aside, this problem was exacerbated by the logs being hidden. I had no idea Cloudtrail even existed, never mind that it ingests internal AWS events.