How to specify logs CreateLogGroup permission for AWS ECS Fargate container in CloudFormation YAML

0 votes

I'm trying to replicate an extremely basic manually configured AWS ECS Fargate deployment of a single container using CloudFormation. Looks like I'm almost there; the resulting stack spins up a container I can access. But there are no logs.

I compared my manual task (created via the UI) and the CloudFormation one, and added an identical log configuration to the container definition, but simply changing the log group from /ecs/foo to /ecs/bar:

LogConfiguration:
  LogDriver: awslogs
  Options:
    awslogs-create-group: true
    awslogs-group: '/ecs/bar'
    awslogs-region: !Ref AWS::Region
    awslogs-stream-prefix: 'ecs'

But now the the task fails to start a container. It gives an error like this:

Resourceinitializationerror: failed to validate logger args: create stream has been retried 1 times: failed to create Cloudwatch log group: AccessDeniedException: User: arn:aws:sts::…:assumed-role/ecsTaskExecutionRole/… is not authorized to perform: logs:CreateLogGroup on resource: arn:aws:logs:us-east-1:…:log-group:/ecs/bar:log-stream: because no identity-based policy allows the logs:CreateLogGroup action status code: 400, request id: … : exit status 1

One documentation page mentions this logs:CreateLogGroup permission, and says:

To use the awslogs-create-group option, add logs:CreateLogGroup as an inline IAM policy.

But what I don't understand is how my CloudFormation template differs from the stack manually created via the UI. By looking at the generated template for the manually-created stack, it appears both task definitions indicate the ecsTaskExecutionRole. My CloudFormation template task definition has this:

ExecutionRoleArn: 'arn:aws:iam::…:role/ecsTaskExecutionRole'

How was the manually-created stack able to create the log group, but my standalone from-scratch CloudFormation template could not? Where would I indicate the logs:CreateLogGroup permission? The manually-created stack doesn't seem to indicate any inline policy. (Admittedly for some reason the manually-created task definition doesn't seem to use a CloudFormation stack, so maybe it has some hidden settings I'm not seeing in the UI.)

Feb 16, 2023 in AWS by Ashwini
• 5,430 points
1,459 views

1 answer to this question.

0 votes

To specify the logs:CreateLogGroup permission for an AWS ECS Fargate container in CloudFormation YAML, you need to add an inline IAM policy to the execution role for the task. This will allow the task to create the CloudWatch log group if it does not already exist.

You can add the policy to the execution role using the Policies property in the task definition:

ExecutionRoleArn: 'arn:aws:iam::…:role/ecsTaskExecutionRole'
...
Policies:
  - PolicyName: logs-create-log-group
    PolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Effect: Allow
          Action: logs:CreateLogGroup
          Resource: arn:aws:logs:*:*:log-group:/ecs/bar*


The above example creates an inline IAM policy named logs-create-log-group that allows the logs:CreateLogGroup action on any log group with a name that starts with /ecs/bar. You can customize the policy to match your specific needs.

Make sure to replace the execution role ARN with the ARN of the role you want to use for the task, and the log group name with the name of the log group you want to use for your task. Once you have added this policy to your task definition, you should be able to create the log group when you start a task using this task definition.

Ready to level up your coding game? Uncover the realm of microservices with our cutting-edge Microservices Developer Certification!

answered Feb 17, 2023 by sarit
• 1,830 points

Related Questions In AWS

0 votes
0 answers

How to specify Ec2 Instance Attributes in a AWS::EMR::Cluster CloudFormation Template?

Very new to AWS and looking at ...READ MORE

Feb 10, 2022 in AWS by Rahul
• 2,080 points
455 views
0 votes
1 answer

How to provide tags for the stack in CloudFormation Template?

In the template anatomy, you cant set ...READ MORE

answered Aug 13, 2018 in AWS by bug_seeker
• 15,520 points
19,115 views
0 votes
1 answer

How to create new stack using create-change-set in AWS Cloudformation

The type of change set operation. To ...READ MORE

answered Sep 18, 2018 in AWS by Priyaj
• 58,090 points
3,733 views
+1 vote
1 answer

In GoDaddy how to validate a Domain For AWS ACM

For validate www.example.com you have to write just the ...READ MORE

answered Oct 29, 2018 in AWS by Priyaj
• 58,090 points
4,017 views
0 votes
1 answer

AWS S3 uploading hidden files by default

versioning is enabled in your bucket. docs.aws.amazon.com/AmazonS3/latest/user-guide/….... the ...READ MORE

answered Oct 4, 2018 in AWS by Priyaj
• 58,090 points
5,635 views
–1 vote
1 answer

How to decrypt the encrypted S3 file using aws-encryption-cli --decrypt

Use command : aws s3 presign s3://mybucket/abc_count.png you get ...READ MORE

answered Oct 22, 2018 in AWS by Priyaj
• 58,090 points
4,983 views
0 votes
1 answer

Import my AWS credentials using python script

Using AWS Cli  Configure your IAM user then ...READ MORE

answered Nov 16, 2018 in AWS by Jino
• 5,820 points
2,688 views
0 votes
2 answers
0 votes
1 answer
0 votes
1 answer
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP