AWS::Event::Rule FailedInvocation 调试信息?
AWS::Event::Rule FailedInvocation debug info?
我有一个 AWS::Event::Rule 将 S3 put 事件路由到 ECS 任务。我可以看到规则是从指标中触发的,但也可以看到每个触发器上的 FailedInvocation。我怀疑这是权限/策略问题,但无法找到任何调试信息或日志。这些调试信息在某处可用吗?
我发现 Lambda 作为目标存在类似问题,它需要 Lambda 端的额外权限才能允许从事件触发,但无法找到 ECS 的类似设置?
这里是相关的 CloudFormation 代码,它显示了 ECS 目标的当前角色:
Resources:
ECSTrigger:
Type: AWS::Events::Rule
Properties:
...
Targets: # target of trigger: ECS
- Arn:
Fn::Sub: 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${ClusterName}'
Id: 'EcsTriggerTarget'
InputTransformer:
InputPathsMap:
s3_bucket: "$.detail.requestParameters.bucketName"
s3_key: "$.detail.requestParameters.key"
InputTemplate: '{"containerOverrides": [{"environment": [{"name": "S3_BUCKET", "value": <s3_bucket>}, {"name": "S3_KEY", "value": <s3_key>}]}]}'
EcsParameters:
LaunchType: FARGATE
PlatformVersion: LATEST
TaskCount: 1
TaskDefinitionArn:
Ref: Task
NetworkConfiguration:
AwsVpcConfiguration:
AssignPublicIp: DISABLED
SecurityGroups: ...
Subnets: ...
RoleArn:
Fn::GetAtt: EcsTriggerRole.Arn
EcsTriggerRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: 'sts:AssumeRole'
Principal:
Service: 'events.amazonaws.com'
ManagedPolicyArns:
- Fn::Sub: 'arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole'
看来问题是我在 InputTemplate 的 "containerOverrides" 中漏掉了一个 "name",当我这样说时它起作用了:
InputTemplate:
Fn::Sub: >-
{ "containerOverrides": [ {
"name": "${ServiceContainerName}",
"environment": [
{ "name":"S3_BUCKET", "value":<s3_bucket> },
{ "name":"S3_KEY", "value":<s3_key> } ]
} ] }
我今天与 AWS 的一位支持工程师讨论了这个问题。根据他们的说法,调试任何 FailedInvocation 问题必须在资源级别完成,不能在 EventBridge 级别进行调试。来自我们的聊天:
I just confirmed from internal cloudwatch team, cloudwatch do not provide any logs for failed invocation. Apart from the failedinvocation metrics, there is no logging avaialble from cloudwatch side.
As mentioned, you need to rely on lambda logs or resources logs.
换句话说,如果您的规则调用 ECS(资源),则唯一可用的调试日志来自 ECS 而不是来自 EventBridge。我要求支持工程师代表我的团队提交功能请求,因此您也可以考虑通过 AWS Support 渠道提交。
我刚遇到类似的情况。我已将 EventBridge 规则配置为定期 运行 ECS 任务,我观察到 ECS 任务未被调用。
然后我查看了CloudTrail中的RunTask事件,终于找到了一个明确的错误信息:
User: arn:aws:sts::xxxx:assumed-role/Amazon_EventBridge_Invoke_ECS/xxx is not authorized to perform: ecs:RunTask on resource: arn:aws:ecs:us-east-1:xxxx:task-definition/ECS_task
这表明与规则关联的角色没有足够的权限来拉取 docker 图像。
我有一个 AWS::Event::Rule 将 S3 put 事件路由到 ECS 任务。我可以看到规则是从指标中触发的,但也可以看到每个触发器上的 FailedInvocation。我怀疑这是权限/策略问题,但无法找到任何调试信息或日志。这些调试信息在某处可用吗?
我发现 Lambda 作为目标存在类似问题,它需要 Lambda 端的额外权限才能允许从事件触发,但无法找到 ECS 的类似设置?
这里是相关的 CloudFormation 代码,它显示了 ECS 目标的当前角色:
Resources:
ECSTrigger:
Type: AWS::Events::Rule
Properties:
...
Targets: # target of trigger: ECS
- Arn:
Fn::Sub: 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${ClusterName}'
Id: 'EcsTriggerTarget'
InputTransformer:
InputPathsMap:
s3_bucket: "$.detail.requestParameters.bucketName"
s3_key: "$.detail.requestParameters.key"
InputTemplate: '{"containerOverrides": [{"environment": [{"name": "S3_BUCKET", "value": <s3_bucket>}, {"name": "S3_KEY", "value": <s3_key>}]}]}'
EcsParameters:
LaunchType: FARGATE
PlatformVersion: LATEST
TaskCount: 1
TaskDefinitionArn:
Ref: Task
NetworkConfiguration:
AwsVpcConfiguration:
AssignPublicIp: DISABLED
SecurityGroups: ...
Subnets: ...
RoleArn:
Fn::GetAtt: EcsTriggerRole.Arn
EcsTriggerRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: 'sts:AssumeRole'
Principal:
Service: 'events.amazonaws.com'
ManagedPolicyArns:
- Fn::Sub: 'arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole'
看来问题是我在 InputTemplate 的 "containerOverrides" 中漏掉了一个 "name",当我这样说时它起作用了:
InputTemplate:
Fn::Sub: >-
{ "containerOverrides": [ {
"name": "${ServiceContainerName}",
"environment": [
{ "name":"S3_BUCKET", "value":<s3_bucket> },
{ "name":"S3_KEY", "value":<s3_key> } ]
} ] }
我今天与 AWS 的一位支持工程师讨论了这个问题。根据他们的说法,调试任何 FailedInvocation 问题必须在资源级别完成,不能在 EventBridge 级别进行调试。来自我们的聊天:
I just confirmed from internal cloudwatch team, cloudwatch do not provide any logs for failed invocation. Apart from the failedinvocation metrics, there is no logging avaialble from cloudwatch side. As mentioned, you need to rely on lambda logs or resources logs.
换句话说,如果您的规则调用 ECS(资源),则唯一可用的调试日志来自 ECS 而不是来自 EventBridge。我要求支持工程师代表我的团队提交功能请求,因此您也可以考虑通过 AWS Support 渠道提交。
我刚遇到类似的情况。我已将 EventBridge 规则配置为定期 运行 ECS 任务,我观察到 ECS 任务未被调用。
然后我查看了CloudTrail中的RunTask事件,终于找到了一个明确的错误信息:
User: arn:aws:sts::xxxx:assumed-role/Amazon_EventBridge_Invoke_ECS/xxx is not authorized to perform: ecs:RunTask on resource: arn:aws:ecs:us-east-1:xxxx:task-definition/ECS_task
这表明与规则关联的角色没有足够的权限来拉取 docker 图像。