Identify Amazon ECS optimization opportunities using application trace data - Amazon Elastic Container Service
Required IAM permissions for Amazon Distro for OpenTelemetry integration with Amazon X-Ray
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Identify Amazon ECS optimization opportunities using application trace data

Amazon ECS integrates with Amazon Distro for OpenTelemetry to collect trace data from your application. Amazon ECS uses an Amazon Distro for OpenTelemetry sidecar container to collect and route trace data to Amazon X-Ray. For more information, see Setting up Amazon Distro for OpenTelemetry Collector in Amazon ECS. You can then use Amazon X-Ray to identify errors and exceptions, analyze performance bottlenecks and response times.

For the Amazon Distro for OpenTelemetry Collector to send trace data to Amazon X-Ray, your application must be configured to create the trace data. For more information, see Instrumenting your application for Amazon X-Ray in the Amazon X-Ray Developer Guide.

Required IAM permissions for Amazon Distro for OpenTelemetry integration with Amazon X-Ray

The Amazon ECS integration with Amazon Distro for OpenTelemetry requires that you create a task role and specify the role in your task definition. We recommend that you configure the Amazon Distro for OpenTelemetry sidecar to route container logs to CloudWatch Logs.

Important

If you also collect application metrics using the Amazon Distro for OpenTelemetry integration, ensure your task IAM role also contains the permissions necessary for that integration. For more information, see Correlate Amazon ECS application performance using application metrics.

Create the following policy, and then attach it to the task execution role.

To use the JSON policy editor to create a policy

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane on the left, choose Policies.

    If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.

  3. At the top of the page, choose Create policy.

  4. In the Policy editor section, choose the JSON option.

  5. Enter the following JSON policy document:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents",
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:DescribeLogStreams",
                "logs:DescribeLogGroups",
                "logs:PutRetentionPolicy",
                "xray:PutTraceSegments",
                "xray:PutTelemetryRecords",
                "xray:GetSamplingRules",
                "xray:GetSamplingTargets",
                "xray:GetSamplingStatisticSummaries",
                "ssm:GetParameters"
            ],
            "Resource": "*"
        }
    ]
}

  6. Choose Next.

    Note

    You can switch between the Visual and JSON editor options anytime. However, if you make changes or choose Next in the Visual editor, IAM might restructure your policy to optimize it for the visual editor. For more information, see Policy restructuring in the IAM User Guide.

  7. On the Review and create page, enter a Policy name and a Description (optional) for the policy that you are creating. Review Permissions defined in this policy to see the permissions that are granted by your policy.

  8. Choose Create policy to save your new policy.