I'm using AWS App Mesh with ECS Fargate. Unfortunately in the logs of the envoy sidecar I see errors like:
[error][aws] [source/extensions/common/aws/credentials_provider_impl.cc:94] Could not retrieve credentials listing from the instance metadata
[1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:93] StreamAggregatedResources gRPC config stream closed: 16, Missing Authentication Token
Permission: AWSAppMeshFullAccess
I already checked the AWS App Mesh Userguide
{
"name" : "envoy",
"image" : "840364872350.dkr.ecr.us-west-2.amazonaws.com/aws-appmeshenvoy:v1.15.1.0-prod",
"essential" : true,
"environment" : [
{
"name" : "APPMESH_VIRTUAL_NODE_NAME",
"value" : "mesh/apps/virtualNode/serviceB"
},
{
"name": "ENABLE_ENVOY_XRAY_TRACING",
"value": "1"
}
],
"healthCheck" : {
"command" : [
"CMD-SHELL",
"curl -s http://localhost:9901/server_info | grep state | grep -q LIVE"
],
"interval" : 5,
"retries" : 3,
"startPeriod" : 10,
"timeout" : 2
},
"memory" : "500",
"user" : "1337",
"portMappings": [
{
"containerPort": 9901,
"protocol": "tcp"
},
{
"containerPort": 15000,
"protocol": "tcp"
},
{
"containerPort": 15001,
"protocol": "tcp"
}
],
"ulimits": [
{
"softLimit": 15000,
"hardLimit": 15000,
"name": "nofile"
}
],
"requiresCompatibilities" : [ "FARGATE" ],
"taskRoleArn" : "arn:aws:iam::XXXXXXXXXXXX:role/ecsTaskRole",
"executionRoleArn" : "arn:aws:iam::XXXXXXXXXXXX:role/ecsTaskExecutionRole",
"networkMode" : "awsvpc"
}
Have you configure Proxy Configuration for you ECS Task to ignore metadata IP?
It similar this