5

Iam configuring CICD piepline usng aws services code build pilepileline etc, to update the deploymnet in my ecs fargate cluster, In my buildspec.yml file aws ecs cli commands are failing throwing "COMMAND_EXECUTION_ERROR: Error while executing command: aws ecs update-service --services xxxxx. Reason: exit status 255"

I have tried providing permission to the codebuild role with "AmazonECS_FullAccess" policy. 

post_build:  
    commands:  
      - echo Build completed on `date`  
      - echo Pushing the Docker images...  
      - docker push $REPOSITORY_URI:latest  
      - docker push $REPOSITORY_URI:$IMAGE_TAG  
      - echo Writing image definitions file...  
      - printf '[{"name":"xxxxxxx","imageUri":"%s"}]' $REPOSITORY_URI:$IMAGE_TAG > imagedefinitions.json  
      - cat imagedefinitions.json 
      - echo Updating ECSfargate service ...  
      - aws ecs describe-services --services xxxxxxxxxxxxxxxxx 
      - aws ecs update-service --service xxxxxxxxxxxxxxxxx --desired-count 2 --no-force-new-deployment
Improve this question

4 Answers 4

Reset to default
1

Attaching a policy of AmazonEC2ContainerRegistryPowerUser fixed this issue for me.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Error Code 255 means:

255 -- Command failed. There were errors thrown by either the CLI or by the service the request was made to.

https://docs.aws.amazon.com/cli/latest/topic/return-codes.html

As you mentioned you have provided full ECS access to CB role, next thing you can check is why the command is failing: Is it failing on ecs describe or ecs update-service? Since if the Fargate Service did not stabilize, it will result in error 255.

I would suggest to:

1) Just leave the ecs describe command and see if that works.

2) If (1) is successful, then do the ecs update-service and monitor the service in AWS ECS console and/or CW logs group if you Fargate Taskdef has a logGroup entry.

Improve this answer

Comments

0

You'll need to grant the permission GetAuthorizationToken of your pipeline to

ecr:*

instead of to

ecr:repository/<you_repo>

because

aws ecr get-login-password --region <aws_region>

is executed against

<account_id>.dkr.ecr.<aws_region>.amazonaws.com

and not against

<account_id>.dkr.ecr.<aws_region>.amazonaws.com/repository/<your_repo>
Improve this answer

Comments

0

I have had the same problem as you and the way I fixed it was by following: try going to CodeBuild and then to its IAM Role. AmazonEC2ContainerRegistryFullAccess role and now click on 'Edit' for that code build and select 'Environment' and click on Allow AWS CodeBuild to modify this service role so it can be used with this building project. Now try again.

Using PrivilegedMode mode in the CodeBuild project. The mode is required when building a docker image inside a docker container.

Cheers

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.