Set AWS EventBridge with ECS and Fargate

Question

I have a container that is deployed with Fargate and runs without any issues when I select "Run Task" in ECS. The container uses S3, SES and CloudWatch services (it contains a Python script). When a task is run, I receive an email with output files. The next step is to trigger a task in ECS to run this container using Fargate on a schedule. For that, I am trying to use Amazon EventBridge. However, something is wrong, because the tasks fail to run.

The rule that I create has the following setup:

• cron expression, which I have confirmed that is valid (the next 10 triggered dates appear in the console).
• choose AWS Service -> ECS Task and then set the cluster, task name and su.net ID.
• I choose the task execution role ( ecsTaskExecutionRole ). This task has a Amazon_EventBridge_Invoke_ECS policy attached to it. This policy came from previous failed runs.

The event was successfully attached to the task in ECS, because if I go to the specified cluster and the tab Scheduled tasks , it is there. I have tried multiple configurations and I keep getting FailedInvocations , which makes me think it is a problem with the role policies.

I have created an additional target for the rule to log in CloudWatch, but the logs are not useful at all. I have checked also CloudTrail and looked for RunTask events. In some occasions, when I set a rule, no RunTask events are shown in CloudTrail. Other times they appear but do not show any ErrorCode . I also had instances where the RunTasks had the error InvalidParameterException: "No Container Instances were found in your cluster. Any ideas about what may be wrong?

Answer 1

I'm not sure this could be the problem for you.

I was having a VERY similar issue, and I fixed it by changing the role's policy to this:

{
    "Statement": [
        {
            "Action": [
                "iam:PassRole"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        },
        {
            "Action": [
                "ecs:RunTask"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        }
    ],
    "Version": "2012-10-17"
}

I have the feeling that you need to change your role to a new role that has this policy instead of the one that you mentioned ( ecsTaskExecutionRole ), since that role has the policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:BatchGetImage",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

EDIT: Just to add. This would be the role that the EventBridge rule should have, not the task definition within the cluster. The task definition role should still be the one that you've mentioned ( ecsTaskExecutionRole )