amazon-ecs-agent: ecs-agent fails to connect when requiring SecureTransport

Summary

ecs-agent will fail to connect when you have a service control policy requiring the use of tls.

Description

Deploy the following service control policy (terraform syntax):

statement {
  sid       = "RequireSecureTransport"
  effect    = "Deny"
  actions   = ["*"]
  resources = ["*"]
  condition {
    test     = "Bool"
    variable = "aws:SecureTransport"
    values   = ["false"]
  }
}

You’ll see the following behavior:

  • the AWS Console ecs dashboard will show the agent as not connected
  • no tasks will get scheduled on the host
  • you will see the following connection errors in ecs-agent.log: Screen_Shot_2019-12-25_at_3_41_04_PM_

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 15 (10 by maintainers)

Most upvoted comments

Hi sorry for the lack of updates - we’ve identified an issue in ECS backend and have implemented a fix. I will update this thread again once it is released.

+2
jy19 on Jan 17, 2020
Read more comments on GitHub
← amazon-ecs-agent: ecs-agent container exiting or crashing or stopped
amazon-ecs-agent: ECS agent fails to launch with latest AMI/Docker →