Improve logging around task execution credentials

sparrc · Sep 17, 2024 · 5acd85d · 5acd85d
1 parent 9efed4e
commit 5acd85d
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 4 deletions.
diff --git a/agent/acs/session/payload_responder.go b/agent/acs/session/payload_responder.go
@@ -148,6 +148,13 @@ func (pmHandler *payloadMessageHandler) addPayloadTasks(payload *ecsacs.PayloadM
 				allTasksOK = false
 				continue
 			}
+			logger.Info("Found application credentials for task", logger.Fields{
+				loggerfield.TaskARN:       apiTask.Arn,
+				loggerfield.TaskVersion:   apiTask.Version,
+				loggerfield.RoleARN:       taskIAMRoleCredentials.RoleArn,
+				loggerfield.RoleType:      taskIAMRoleCredentials.RoleType,
+				loggerfield.CredentialsID: taskIAMRoleCredentials.CredentialsID,
+			})
 			apiTask.SetCredentialsID(taskIAMRoleCredentials.CredentialsID)
 		}
 
@@ -189,6 +196,13 @@ func (pmHandler *payloadMessageHandler) addPayloadTasks(payload *ecsacs.PayloadM
 				allTasksOK = false
 				continue
 			}
+			logger.Info("Found execution credentials for task", logger.Fields{
+				loggerfield.TaskARN:       apiTask.Arn,
+				loggerfield.TaskVersion:   apiTask.Version,
+				loggerfield.RoleARN:       taskExecutionIAMRoleCredentials.RoleArn,
+				loggerfield.RoleType:      taskExecutionIAMRoleCredentials.RoleType,
+				loggerfield.CredentialsID: taskExecutionIAMRoleCredentials.CredentialsID,
+			})
 			apiTask.SetExecutionRoleCredentialsID(taskExecutionIAMRoleCredentials.CredentialsID)
 		}
 

diff --git a/agent/api/task/task.go b/agent/api/task/task.go
@@ -1891,6 +1891,13 @@ func (task *Task) ApplyExecutionRoleLogsAuth(hostConfig *dockercontainer.HostCon
 	if hostConfig.LogConfig.Config == nil {
 		hostConfig.LogConfig.Config = map[string]string{}
 	}
+	logger.Info("Applying execution role credentials to container log auth", logger.Fields{
+		field.TaskARN:           executionRoleCredentials.ARN,
+		field.RoleType:          executionRoleCredentials.IAMRoleCredentials.RoleType,
+		field.RoleARN:           executionRoleCredentials.IAMRoleCredentials.RoleArn,
+		field.CredentialsID:     executionRoleCredentials.IAMRoleCredentials.CredentialsID,
+		awslogsCredsEndpointOpt: credentialsEndpointRelativeURI,
+	})
 	hostConfig.LogConfig.Config[awslogsCredsEndpointOpt] = credentialsEndpointRelativeURI
 	return nil
 }

diff --git a/agent/engine/docker_task_engine.go b/agent/engine/docker_task_engine.go
@@ -1692,16 +1692,26 @@ func (engine *DockerTaskEngine) setRegistryCredentials(
 		executionCredentials, ok := engine.credentialsManager.GetTaskCredentials(task.GetExecutionCredentialsID())
 		if !ok {
 			logger.Error("Unable to acquire ECR credentials to pull image for container", logger.Fields{
-				field.TaskID:    task.GetID(),
-				field.Container: container.Name,
-				field.Image:     container.Image,
+				field.TaskID:        task.GetID(),
+				field.Container:     container.Name,
+				field.Image:         container.Image,
+				field.CredentialsID: task.GetExecutionCredentialsID(),
+				field.RoleType:      credentials.ExecutionRoleType,
 			})
 			return nil, dockerapi.CannotPullECRContainerError{
 				FromError: errors.New("engine ecr credentials: not found"),
 			}
 		}
 
 		iamCredentials := executionCredentials.GetIAMRoleCredentials()
+		logger.Info("Setting task execution credentials for image pull registry auth", logger.Fields{
+			field.TaskID:        task.GetID(),
+			field.Container:     container.Name,
+			field.Image:         container.Image,
+			field.RoleType:      iamCredentials.RoleType,
+			field.RoleARN:       iamCredentials.RoleArn,
+			field.CredentialsID: iamCredentials.CredentialsID,
+		})
 		container.SetRegistryAuthCredentials(iamCredentials)
 		cleanup = func() { container.SetRegistryAuthCredentials(credentials.IAMRoleCredentials{}) }
 	}

diff --git a/agent/engine/task_manager.go b/agent/engine/task_manager.go
@@ -1582,7 +1582,8 @@ func (mtask *managedTask) cleanupTask(taskStoppedDuration time.Duration) {
 	// Remove TaskExecutionCredentials from credentialsManager
 	if taskExecutionCredentialsID != "" {
 		logger.Info("Cleaning up task's execution credentials", logger.Fields{
-			field.TaskID: mtask.GetID(),
+			field.TaskID:        mtask.GetID(),
+			field.CredentialsID: taskExecutionCredentialsID,
 		})
 		mtask.credentialsManager.RemoveCredentials(taskExecutionCredentialsID)
 	}

diff --git a/agent/vendor/github.com/aws/amazon-ecs-agent/ecs-agent/logger/field/constants.go b/agent/vendor/github.com/aws/amazon-ecs-agent/ecs-agent/logger/field/constants.go
diff --git a/ecs-agent/logger/field/constants.go b/ecs-agent/logger/field/constants.go
@@ -65,4 +65,6 @@ const (
 	ServiceConnectEndpoint  = "serviceConnectEndpoint"
 	Response                = "response"
 	Request                 = "request"
+	RoleType                = "roleType"
+	RoleARN                 = "roleARN"
 )