AWS ECS Fargate service task unable to access AWS Rekognition service - 504 Gateway Timeout
I have setup an ECS Fargate service. Task is setup with a task role. Also, I have a VPC endpoint setup for the Rekognition service. However, I am getting a 504 Gateway timeout when calling the Rekognition service API.
Please note that I am able to make a call to the S3 buckets with a similar setup.
What am I missing when connecting to the Rekognition API?
Task Role Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rekognition:*"
],
"Resource": "*"
}
]
}
Task Role Trust Relations:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Service Security Group Inbound/Outbound Rules:
Subnets: ECS Services are running in a private subnet.
Solution
Upon rechecking my network configurations, I realized I had not enabled the Private DNS names flag preventing me from using the Rekognition API. Thanks to @MarkB for the help.
To summarize:
- ECS Fargate service's task has a Task Role, which allows access to the Rekognition Service. In my case, I attached the
AmazonRekognitionFullAccesspolicy to the Task Role. - ECS Service's security group has the required Inbound/Outbound rules.
- VPC Endpoint -> If the services are in a private subnet and you want to make a private call -> Add a VPN Endpoint with the service name
com.amazonaws.us-west-2.rekognition. Also, enable the Private DNS names. - VPC Endpoints security group has the required Inbound/Outbound rules. And VPC Endpoint Policy is set up as needed.
- Amazon SES cannot find DNS Records for "custom MAIL FROM domain" (after some time)
- How to make inference to a keras model hosted on AWS SageMaker via AWS Lambda function?
- How to deploy a Pre-Trained model using AWS SageMaker Notebook Instance?
- AWS sts assume role in one command
- How to connect AWS Elasticache Redis cluster to Spring Boot app?
- AWS elastic Beanstalk / nginx : connect() failed (111: Connection refused
- AWS ECS exec /usr/local/bin/docker-entrypoint.sh: exec format error
- How can I delete folder on S3 with Node.js?
- Enable caching for url query parameters in aws api gateway with terraform
- AWS IAM role principal vs role session principal
- Setting directory owner and permission with appspec.yml through Amazon Web Service CodeDeploy
- How to update multiple items in a DynamoDB table at once
- https on S3 WITHOUT cloudfront possible?
- How to query Views in Athena in a AWS Glue ETL job
- AWS glue to extract json referenced by id
- Unable to delete AWS VPC Endpoint
- Amazon textextract I can't find trp module
- Can't find AWS Lightsail permissions policy for my IAM user
- How to query dynamoDB based on key + attribute?
- AWS Bedrock RAG - Unable to sync data source in a knowledge base
- How to duplicate a Redshift table schema?
- SpringBoot + AWS cognito, can't resolve issuerUri
- image failed to show when Upload from Lambda
- How to use dynamoose in AWS AppSync JS resolver?
- How message from AWS DLQ gets deleted?
- Template format error: unsupported structure seen in AWS CloudFormation
- AWS InvalidSignatureException, Signature expired when running from docker container
- AWS Glue - o109.pyWriteDynamicFrame. ERROR: relation "xyz" already exists
- AWS - NoCredentialsError: Unable to locate credentials
- Amazon Athena CREATE EXTERNAL TABLE mismatched input 'external' invalidrequestexception