AWS XRAY on Fargate service

108
July 27, 2022, at 9:20 PM

I want to add xray to my Fargate service. Everything works (synth/deploy) but in the logs I'am seeing the following error:

2022-02-07T13:38:22Z [Error] Sending segment batch failed with: AccessDeniedException: 2022-02-07 14:38:22status code: 403, request id: cdc23f61-5c2e-4ede-8bda-5328e0c8ac8f

The user I'am using to deploy the application has the AWSXrayFullAccess permission. Do I have to grant the task the permission manually? If so how?

Here is a snippet of the application:

const cdk = require('@aws-cdk/core');
const ecs = require('@aws-cdk/aws-ecs');
const ecsPatterns = require('@aws-cdk/aws-ecs-patterns');
class API extends cdk.Stack {
  constructor(parent, id, props) {
    super(parent, id, props);
    this.apiXRayTaskDefinition = new ecs.FargateTaskDefinition(this, 'apixRay-definition', {
      cpu: 256,
      memoryLimitMiB: 512,
    });
    this.apiXRayTaskDefinition.addContainer('api', {
        image: ecs.ContainerImage.fromAsset('./api'),
        environment: {
          "QUEUE_URL": props.queue.queueUrl,
          "TABLE": props.table.tableName,
          "AWS_XRAY_DAEMON_ADDRESS": "0.0.0.0:2000"
        },
        logging: ecs.LogDriver.awsLogs({ streamPrefix: 'api' }),
    }).addPortMappings({
      containerPort: 80
    })
    this.apiXRayTaskDefinition.addContainer('xray', {
      image: ecs.ContainerImage.fromRegistry('public.ecr.aws/xray/aws-xray-daemon:latest'),
      logging: ecs.LogDriver.awsLogs({ streamPrefix: 'xray' }),
    }).addPortMappings({
      containerPort: 2000,
      protocol: ecs.Protocol.UDP,
    });
    // API
    this.api = new ecsPatterns.ApplicationLoadBalancedFargateService(this, 'api', {
      cluster: props.cluster,
      taskDefinition: this.apiXRayTaskDefinition,
      desiredCount: 2,
      cpu: 256,
      memory: 512,
      createLogs: true
    })
    props.queue.grantSendMessages(this.api.service.taskDefinition.taskRole);
    props.table.grantReadWriteData(this.api.service.taskDefinition.taskRole);
  }
}
Answer 1

The user I'am using to deploy the application has the AWSXrayFullAccess permission.

This is irrelevant, the task will not get all the rights of the user that deploys the stack.

Yes, you need to add the required permissions to the task with

this.apiXRayTaskDefinition.taskRole.addManagedPolicy(
    iam.ManagedPolicy.fromAwsManagedPolicyName('AWSXRayDaemonWriteAccess')
);

References:

AWS managed policy with required access for the X-Ray daemon: https://docs.aws.amazon.com/xray/latest/devguide/security_iam_id-based-policy-examples.html#xray-permissions-managedpolicies

Import an AWS-managed policy: https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-iam.ManagedPolicy.html#static-fromwbrawswbrmanagedwbrpolicywbrnamemanagedpolicyname

Access the task role: https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-ecs.FargateTaskDefinition.html#taskrole-1

Add a policy: https://docs.aws.amazon.com/cdk/api/v1/docs/@aws-cdk_aws-iam.IRole.html#addwbrmanagedwbrpolicypolicy

Rent Charter Buses Company
READ ALSO
How to resolve getting Error 429 Imgur Api

How to resolve getting Error 429 Imgur Api

I'm making an image management system through discord, uploading images on Imgur throug it's apiI know my code was wrong, cause i was trying to upload like 125 images at the exact same time for the initialization of the system, and i got (temp, i think)...

76
Nodejs MySQL pool connection advice to many companies databases

Nodejs MySQL pool connection advice to many companies databases

I have an web app that wil be accessed by multiples companies

81
How to create a url that opens a tab downloads a file and closes the tab

How to create a url that opens a tab downloads a file and closes the tab

I want to create an URL that when clicked upon opens a tab, downloads a file, and closes that tabDo you guys know how to do it? Following is an example: https://cdn

106
Waiting for download to complete on Puppeteer

Waiting for download to complete on Puppeteer

I have a script made using nodejs and puppeteer which downloads a file from a button (which doesn't redirect to a url), so right now i'm using await await page

113