Morning everyone, I'm trying to stream my ECS Farg...
# fleetk
KK
05/24/2021, 11:43 AMMorning everyone, I'm trying to stream my ECS Fargate Fleet's osquery logs to Firehose, but my containers are failing to initialize with the error message:
Copy code
Error initializing service: initializing osquery logging: create firehose status logger: create Firehose writer: describe stream arn:aws:firehose:xx:xx:deliverystream/test_stream: NoCredentialProviders: no valid providers in chain. Deprecated.FLEET_FIREHOSE_STS_ASSUME_ROLE_ARNDescribeDeliveryStreamfirehosefirehoseFLEET_FIREHOSE_REGIONxxFLEET_FIREHOSE_RESULT_STREAMarn:aws:firehose:xx:xx:deliverystream/test_streamFLEET_FIREHOSE_STATUS_STREAMarn:aws:firehose:xx:xx:deliverystream/test_streamFLEET_FIREHOSE_STS_ASSUME_ROLE_ARNarn:aws:iam:xx:role/firehoseRolearn:aws:iam:xx:role/firehoseRolearn:aws:iam:xx:role/firehoseRolefirehose:DescribeDeliveryStreamfirehose:PutRecordBatcharn:aws:firehose:xx:xx:deliverystream/test_streamty 1
z
zwass
05/24/2021, 3:17 PM
@nyanshak @billcobbler any ideas what might be going on here? I know y'all use the assume role.
n
nyanshak
05/24/2021, 3:21 PMerr... I use osquery's assume role but not fleet so not very familiar with that aspect. Also don't use ECS Fargate 😐
So... not very familiar with fleet's errors / what they mean here. But based on the info provided, I would assume that this should work.
I'm not sure if maybe one of the things you think is configured is maybe not configured as you expect (e.g., a typo). But afaict, the config looks okay.
nyanshak
05/24/2021, 3:22 PMI don't know if there's maybe an issue specific to fargate or fleet's code though
k
KK
05/24/2021, 3:46 PMPossibly related to a troubleshooting hiccup of mine, but I'm now seeing that my ECS tasks cannot pull the Docker Hub fleet image and are failing to start with the following "Stopped reason":
CannotPullContainerError: ref pull has been retried 1 time(s): failed to copy: httpReaderSeeker: failed open: unexpected status code <https://registry-1.docker.io/v2/fleetdm/fleet/manifests/sha256:a6694d267a20c0f656304c6392efbec9f9bb88a2499f61c0e6f0dab2>...CannotPullContainerError: inspect image has been retried 5 time(s): httpReaderSeeker: failed open: unexpected status code <https://registry-1.docker.io/v2/fleetdm/fleet/manifests/sha256:a6694d267a20c0f656304c6392efbec9f9bb88a2499f61c0e6f0dab25e993a20>: 4... Copy code
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"<http://ecs-tasks.amazonaws.com|ecs-tasks.amazonaws.com>"
]
},
"Action": "sts:AssumeRole"
}
]
} Copy code
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}z
Zach Zeid
05/24/2021, 4:46 PMyou could be running into docker hub's rate limiting
k
KK
05/24/2021, 4:49 PM@Zach Zeid that seemed to be the case. I lowed the desired state to 0 and bumped it back up, the task has no issues pulling the image now. Appreciate your comment!
KK
05/24/2021, 5:42 PMAs for the original post, I managed to resolve the error by adding the
firehose:DescribeDeliveryStreamfirehose:PutRecordBatchfirehoseRoleFLEET_FIREHOSE_STS_ASSUME_ROLE_ARNn
nyanshak
05/24/2021, 5:43 PM(not being super familiar with this aspect) I would generally assume that STS is optional and that if you already have the correct permissions on the ECS task role, you could forego setting
FLEET_FIREHOSE_STS_ASSUME_ROLE_ARNty 1
nyanshak
05/24/2021, 5:43 PMbut I would love to get confirmation of that
nyanshak
05/24/2021, 5:44 PMbasically - you're already in AWS, able to give yourself all the right permissions, no reason to use STS assume role if you don't have to
nyanshak
05/24/2021, 5:44 PMobv there are cases where that's not true, but ... 🤷♀️
k
KK
05/24/2021, 6:18 PMI can confirm my ECS task can successfully push to Firehose without the ARN env var. Good call @nyanshak!
ty 1
14 Views