Question

I'm trying to replicate an extremely basic manually configured AWS ECS Fargate deployment of a single container using CloudFormation. Looks like I'm almost there; the resulting stack spins up a container I can access. But there are no logs.

I compared my manual task (created via the UI) and the CloudFormation one, and added an identical log configuration to the container definition, but simply changing the log group from /ecs/foo to /ecs/bar:

LogConfiguration:
  LogDriver: awslogs
  Options:
    awslogs-create-group: true
    awslogs-group: '/ecs/bar'
    awslogs-region: !Ref AWS::Region
    awslogs-stream-prefix: 'ecs'

But now the the task fails to start a container. It gives an error like this:

Resourceinitializationerror: failed to validate logger args: create stream has been retried 1 times: failed to create Cloudwatch log group: AccessDeniedException: User: arn:aws:sts::…:assumed-role/ecsTaskExecutionRole/… is not authorized to perform: logs:CreateLogGroup on resource: arn:aws:logs:us-east-1:…:log-group:/ecs/bar:log-stream: because no identity-based policy allows the logs:CreateLogGroup action status code: 400, request id: … : exit status 1

One documentation page mentions this logs:CreateLogGroup permission, and says:

To use the awslogs-create-group option, add logs:CreateLogGroup as an inline IAM policy.

But what I don't understand is how my CloudFormation template differs from the stack manually created via the UI. By looking at the generated template for the manually-created stack, it appears both task definitions indicate the ecsTaskExecutionRole. My CloudFormation template task definition has this:

ExecutionRoleArn: 'arn:aws:iam::…:role/ecsTaskExecutionRole'

How was the manually-created stack able to create the log group, but my standalone from-scratch CloudFormation template could not? Where would I indicate the logs:CreateLogGroup permission? The manually-created stack doesn't seem to indicate any inline policy. (Admittedly for some reason the manually-created task definition doesn't seem to use a CloudFormation stack, so maybe it has some hidden settings I'm not seeing in the UI.)

Answer 1

To specify the logs:CreateLogGroup permission for an AWS ECS Fargate container in CloudFormation YAML, you need to add an inline IAM policy to the execution role for the task. This will allow the task to create the CloudWatch log group if it does not already exist.

You can add the policy to the execution role using the Policies property in the task definition:

ExecutionRoleArn: 'arn:aws:iam::…:role/ecsTaskExecutionRole'
...
Policies:
  - PolicyName: logs-create-log-group
    PolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Effect: Allow
          Action: logs:CreateLogGroup
          Resource: arn:aws:logs:*:*:log-group:/ecs/bar*

The above example creates an inline IAM policy named logs-create-log-group that allows the logs:CreateLogGroup action on any log group with a name that starts with /ecs/bar. You can customize the policy to match your specific needs.

Make sure to replace the execution role ARN with the ARN of the role you want to use for the task, and the log group name with the name of the log group you want to use for your task. Once you have added this policy to your task definition, you should be able to create the log group when you start a task using this task definition.

Ready to level up your coding game? Uncover the realm of microservices with our cutting-edge Microservices Developer Certification!