Support for AWS ECS FARGATE TaskRole Credentials?

[mvn-bachhuynh-dn]

Please fill out the sections below to help us address your issue.

Version of AWS SDK for PHP?

AWS SDK latest
PHP 7.2

Version of AWS Service Provider for Laravel?

Version of Laravel (php artisan --version)?

Laravel Framework 6.6.0

Version of PHP (php -v)?

7.2

What issue did you see?

2019/12/19 13:43:10 [error] 38#38: *5 FastCGI sent in stderr: "PHP message: [2019-12-19 13:43:10] stg.ERROR: Aws\Exception\CredentialsException: Error retrieving credential from ECS (Client error: `GET http://169.254.170.2` resulted in a `404 Not Found` response:
404 page not found
) in /var/www/vendor/aws/aws-sdk-php/src/Credentials/EcsCredentialProvider.php:65

Steps to reproduce

If you have a runnable example, please include it as a snippet or link to a repository/gist for larger code examples.

I run task with command:

Command	["sh","-c","set -x;echo "clear_env = no" >> /etc/php/7.2/fpm/php-fpm.conf;export AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI;php artisan config:cache;php artisan migrate;service php7.2-fpm restart ;nginx -g "daemon off;""]

And try to upload an image function, get error:

It seems to be not able to get env AWS_CONTAINER_CREDENTIALS_RELATIVE_URI from ECS, and from export command.

Please help me!

Additional context

Any additional information relevant to the issue, for example PHP/environment config settings if the issue is related to memory or performance.

[zeroiszero]

what is the base image you using ? Maybe wrong directory for your*.conf file ?

I am using amazonlinux with PHP 7.3.

To override default PHP-FPM config, config file loaded from '/etc/php-fpm.d/*.conf' directory.
You can find out in default 'php-fpm.conf' file, like include=/etc/php-fpm.d/*.conf'.

[mvn-bachhuynh-dn]

Hi @zeroiszero
here is the result of command:
ps e -p 1
It lists all process with PID 1 and export env:

1 ? Ss 0:00 sh -c set -x;php artisan config:cache;php artisan migrate;service php7.2-fpm start ;ps e -p 1;nginx -g "daemon off;" PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin HOSTNAME=ip-172-22-31-114.ap-northeast-1.compute.internal MAIL_ENCRYPTION=null MIX_CLIENT_ID=XXXXX 
CHANNEL_ID_FAMILY_LOGIN=XXXXX CHANNEL_ACCESS_TOKEN_2=xxxxx CHANNEL_SECRET_2=xxxx DB_DATABASE=uni ADMIN_TOKEN_EXPIRATION_TIME=60 MAIL_HOST=smtp.sendgrid.net 
MIX_END_POINT=https://xxxxx/api/ APP_KEY=xxxxxx CHANNEL_SECRET_1=xxxxx 
ECS_CONTAINER_METADATA_URI=http://169.254.170.2/v3/393e0417-c1d1-4b2a-b4a4-fd254f50de47 
MIX_LIFF_ID_CATEGORIES_FAMILY=null MAIL_FROM_ADDRESS=null MIX_LIFF_ID_CATEGORIES=null 
MIX_LIFF_ID_SETTING=null MIX_LIFF_ID_QUESTIONS_ANSWERS=xxx APP_DEBUG=TRUE 
LOG_CHANNEL=errorlog MIX_LIFF_ID_INTRODUCESERVICE=null APP_NAME=Pigeon 
RICH_MENU_ID_1=xxxx CALLBACK_FAMILY_LOGIN=xxxx MAIL_DRIVER=smtp 
AWS_EXECUTION_ENV=AWS_ECS_FARGATE 
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/v2/credentials/790e6073-8eb7-4835-b438-919b679e8879 MAIL_USERNAME=null MIX_CHANNEL_ID_MAIN_PERSON=x MAIL_PORT=null 
RICH_MENU_ID_2=xxxx MIX_JWT_SECRET=xxxx APP_URL=https://xxxx 
PROLOGUE_RICH_MENU_ID=xxxx S3_TEMPORARY_URL_FILE_EXPIRED=null 
MIX_LIFF_ID_EDIT_ANSWER=null MIX_LIFF_ID_CONFIRMRECOMMEND=null AWS_REGION=ap-northeast-1 MIX_CLIENT_SECRET=xxxxx 
GET_FRIEND_STATUS_LINE_ENDPOINT=https://api.line.me/friendship/v1/status JWT_SECRET=xxxxx 
MIX_LIFF_ID_DISCLOSURE_FAMILY=null DB_PASSWORD=xxxxx MAIL_PASSWORD=null 
AWS_BUCKET=xxxx MIX_LIFF_ID_CATEGORY=null DB_CONNECTION=mysql DB_USERNAME=xxx 
CHANNEL_ACCESS_TOKEN_1=xxxxx DB_HOST=xxxx DB_PORT=3306 AWS_DEFAULT_REGION=ap-northeast-1 MIX_END_POINT_ADMIN=https://xxxxx/admin/api/ APP_ENV=stg DB_NAME=xxxx 
MAIL_FROM_NAME=null NGINX_VERSION=1.17.4 NJS_VERSION=0.3.5 PKG_RELEASE=1 HOME=/root

And I see that the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is available

But my application still get error:

2019/12/19 16:15:02 [error] 39#39: *89 FastCGI sent in stderr: "PHP message: [2019-12-19 16:15:02] 
stg.ERROR: Aws\Exception\CredentialsException: Error retrieving credential from ECS (Client error: `GET 
http://169.254.170.2` resulted in a `404 Not Found` response:
404 page not found

Could you please take a look?

[zeroiszero]

Issue in Nginx config ? You can take a look at nginx.conf

Reference: here and example

[mvn-bachhuynh-dn]

Hi @zeroiszero
Really happy when getting your response
Here is my nginx.conf

server {
      listen 80;
      index index.php index.html;
      root /var/www/public;

      location / {
          try_files $uri /index.php?$args;
      }

      location ~ \.php$ {
          fastcgi_split_path_info ^(.+\.php)(/.+)$;
          fastcgi_pass 127.0.0.1:9000;
          fastcgi_index index.php;
          include fastcgi_params;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
          fastcgi_param PATH_INFO $fastcgi_path_info;
      }
}

why do you think the error from nginx_config?

If you have any chat application, I really happy when contact with you directly! Thank you so much!

[zeroiszero]

Hi @zeroiszero
Really happy when getting your response
Here is my nginx.conf

server {
      listen 80;
      index index.php index.html;
      root /var/www/public;

      location / {
          try_files $uri /index.php?$args;
      }

      location ~ \.php$ {
          fastcgi_split_path_info ^(.+\.php)(/.+)$;
          fastcgi_pass 127.0.0.1:9000;
          fastcgi_index index.php;
          include fastcgi_params;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
          fastcgi_param PATH_INFO $fastcgi_path_info;
      }
}

why do you think the error from nginx_config?

If you have any chat application, I really happy when contact with you directly! Thank you so much!

Skype: https://join.skype.com/invite/pJeacIGpQseR

[mvn-bachhuynh-dn]

Hi All, and @zeroiszero
Thank you for your response,
I fixed it by creating .env file when launching a container ( Script to create .env in CMD or ENTRYPOINT)

So, I think this is a bug of aws-sdk-php-laravel, when the others work normally but the sdk.

[RanVaknin]

Hi there,

From reading the description of the issue, this was solved by correctly configuring the Env variable on your container. Once the env variable was correctly injected into the ECS container, the php laravel SDK picked up that and was able to resolve credentials. This is likely due to config and not the SDK. If the issue persists and other customers are hitting this issue, can you please set up a minimal reproduction (either by providing in depth steps to repro) or providing a minimal github repo that can reliably reproduce this issue?

For now I'll be closing this.
Thanks,
Ran~

[github-actions]

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.