AWS by HTTP template incompatible with ECS Fargate metadata (169.254.170.2) and IMDSv2, resulting in failed metrics

XMLWordPrintable

    • Type: Problem report
    • Resolution: Unresolved
    • Priority: Trivial
    • None
    • Affects Version/s: 7.0.21
    • Component/s: Proxy (P)
    • None
    • Environment:

      Steps to Reproduce
      1. Deploy Zabbix Proxy on ECS Fargate

      Create an ECS task definition for Zabbix Proxy.

      Attach IAM role with AdministratorAccess (also tested with limited AWS permissions).

      Deploy task in a subnet with NAT gateway (internet confirmed working).

      2. Import AWS HTTP Templates

      Import templates/cloud/AWS/aws_http from Zabbix repository.

      Apply templates:

      AWS ECS

      AWS EC2

      AWS Backup

      AWS ELB
      (All templates behave the same.)

      3. Configure Zabbix Host

      Add host with:

      {$AWS.AUTH_TYPE} = role_base
      {$AWS.ECS.CLUSTER.NAME} = prod-cluster
      {$AWS.REGION} = eu-central-1

      No agent interface, monitored by Zabbix Proxy.

      4. Let Proxy execute checks

      Monitor proxy logs:

      docker logs -f zabbix-proxy

      5. Observe template internal requests

      Template attempts to call 169.254.169.254 for metadata (EC2 metadata endpoint).
      This fails in ECS Fargate.

      If manually replaced with ECS metadata IP 169.254.170.2, next failure appears.

       

      Result:

      behavior 1 – Default template (EC2 metadata IP 169.254.169.254)

      Errors in proxy log:

      [ AWS ECS ] ERROR: Error: cannot get URL: Could not connect to server.
      [ AWS EC2 ] ERROR: Could not connect to server.
      [ AWS Backup ] ERROR: cannot get URL: Could not connect to server.

      Behavior 2 – After manually changing metadata IP to 169.254.170.2

      New error appears:

      [ AWS ECS ] ERROR: Error getting IMDSv2 session token.

      This means:

      Template is trying to retrieve IMDSv2 session token

      But ECS Fargate’s metadata endpoint requires IMDSv2 workflow, which the template does not perform

      Therefore all AWS requests fail

      Outcome

      AWS ECS template does not work on ECS Fargate

      AWS credentials are not retrieved

      All AWS HTTP checks fail

      Template is not compatible with ECS task role credential system

      Expected:

      AWS HTTP template should correctly support ECS/Fargate execution environment, using:

      ECS metadata endpoint: 169.254.170.2

      Proper IMDSv2 token workflow:

      PUT request to /latest/api/token

      Including X-aws-ec2-metadata-token header in subsequent requests

      When using role_base, template should use task IAM role seamlessly without calling IMDS.

      Template should successfully gather ECS metrics from AWS API.

            Assignee:
            Genadijs Jeniceks
            Reporter:
            ehsan muhammad ali
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: