How to specify logs CreateLogGroup permission for AWS ECS Fargate container in CloudFormation YAML

0 votes

I'm trying to replicate an extremely basic manually configured AWS ECS Fargate deployment of a single container using CloudFormation. Looks like I'm almost there; the resulting stack spins up a container I can access. But there are no logs.

I compared my manual task (created via the UI) and the CloudFormation one, and added an identical log configuration to the container definition, but simply changing the log group from /ecs/foo to /ecs/bar:

LogConfiguration:
  LogDriver: awslogs
  Options:
    awslogs-create-group: true
    awslogs-group: '/ecs/bar'
    awslogs-region: !Ref AWS::Region
    awslogs-stream-prefix: 'ecs'

But now the the task fails to start a container. It gives an error like this:

Resourceinitializationerror: failed to validate logger args: create stream has been retried 1 times: failed to create Cloudwatch log group: AccessDeniedException: User: arn:aws:sts::…:assumed-role/ecsTaskExecutionRole/… is not authorized to perform: logs:CreateLogGroup on resource: arn:aws:logs:us-east-1:…:log-group:/ecs/bar:log-stream: because no identity-based policy allows the logs:CreateLogGroup action status code: 400, request id: … : exit status 1

One documentation page mentions this logs:CreateLogGroup permission, and says:

To use the awslogs-create-group option, add logs:CreateLogGroup as an inline IAM policy.

But what I don't understand is how my CloudFormation template differs from the stack manually created via the UI. By looking at the generated template for the manually-created stack, it appears both task definitions indicate the ecsTaskExecutionRole. My CloudFormation template task definition has this:

ExecutionRoleArn: 'arn:aws:iam::…:role/ecsTaskExecutionRole'

How was the manually-created stack able to create the log group, but my standalone from-scratch CloudFormation template could not? Where would I indicate the logs:CreateLogGroup permission? The manually-created stack doesn't seem to indicate any inline policy. (Admittedly for some reason the manually-created task definition doesn't seem to use a CloudFormation stack, so maybe it has some hidden settings I'm not seeing in the UI.)

Feb 16 in AWS by Ashwini
• 3,750 points
82 views

No answer to this question. Be the first to respond.

Your answer

Your name to display (optional):
Privacy: Your email address will only be used for sending these notifications.

Related Questions In AWS

0 votes
0 answers

How to specify Ec2 Instance Attributes in a AWS::EMR::Cluster CloudFormation Template?

Very new to AWS and looking at ...READ MORE

Feb 10, 2022 in AWS by Rahul
• 2,080 points
120 views
0 votes
1 answer

How to provide tags for the stack in CloudFormation Template?

In the template anatomy, you cant set ...READ MORE

answered Aug 13, 2018 in AWS by bug_seeker
• 15,530 points
17,121 views
0 votes
1 answer

How to create new stack using create-change-set in AWS Cloudformation

The type of change set operation. To ...READ MORE

answered Sep 18, 2018 in AWS by Priyaj
• 58,100 points
3,259 views
+1 vote
1 answer

In GoDaddy how to validate a Domain For AWS ACM

For validate www.example.com you have to write just the ...READ MORE

answered Oct 29, 2018 in AWS by Priyaj
• 58,100 points
3,124 views
–1 vote
1 answer

How to find AWS instance Ids in yaml format from command line?

Hi@akhtar, By default AWS gives output in json ...READ MORE

answered Jun 2, 2020 in AWS by MD
• 95,460 points
360 views
0 votes
1 answer

How to create Fargate Profile in AWS EKS?

Hi@akhtar, You can use eksctl command to create ...READ MORE

answered Jul 6, 2020 in AWS by MD
• 95,460 points
901 views
0 votes
1 answer

AWS S3 uploading hidden files by default

versioning is enabled in your bucket. docs.aws.amazon.com/AmazonS3/latest/user-guide/….... the ...READ MORE

answered Oct 4, 2018 in AWS by Priyaj
• 58,100 points
4,198 views
–1 vote
1 answer

How to decrypt the encrypted S3 file using aws-encryption-cli --decrypt

Use command : aws s3 presign s3://mybucket/abc_count.png you get ...READ MORE

answered Oct 22, 2018 in AWS by Priyaj
• 58,100 points
4,166 views
0 votes
1 answer

Import my AWS credentials using python script

Using AWS Cli  Configure your IAM user then ...READ MORE

answered Nov 16, 2018 in AWS by Jino
• 5,810 points
2,162 views
0 votes
2 answers
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP