When I create a DynamoDB VPC Gateway Endpoint it breaks an ECS task that connects to DynamoDB. The ECS task/service/cluster is in the same VPC in the same region as the gateway endpoint on a private subnet and its security group allows outbound access to DynamoDB. The VPC has DNS resolution and DNS hostnames Enabled.
The task is running aws-sdk for C++ to connect to a DynamoDB table and returns the following error when we try to use the gateway endpoint:
ERROR: Failed to get item: Invalid DNS Label found in URI host
As soon as I remove the endpoint the task stops failing.
I tried creating a VPC Gateway Endpoint for DynamoDB to alleviate some traffic on our NAT gateway and I expected the ECS task to still be able to connect to DynamoDB through the gateway endpoint.
It turned out that the container was missing a necessary permission in its role:
Error message: User: arn:aws:sts::XXX:assumed-role/dataSaverContainerRole/XXX is not authorized to perform: dynamodb:DescribeEndpoints on resource: * because no identity-based policy allows the dynamodb:DescribeEndpoints action
Once I added the permission it started working.