Identify Amazon ECS optimization opportunities using application trace data - Amazon Elastic Container Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Identify Amazon ECS optimization opportunities using application trace data

Amazon ECS integrates with Amazon Distro for OpenTelemetry to collect trace data from your application. Amazon ECS uses an Amazon Distro for OpenTelemetry sidecar container to collect and route trace data to Amazon X-Ray. For more information, see Setting up Amazon Distro for OpenTelemetry Collector in Amazon ECS. You can then use Amazon X-Ray to identify errors and exceptions, analyze performance bottlenecks and response times.

For the Amazon Distro for OpenTelemetry Collector to send trace data to Amazon X-Ray, your application must be configured to create the trace data. For more information, see Instrumenting your application for Amazon X-Ray in the Amazon X-Ray Developer Guide.

Required IAM permissions for Amazon Distro for OpenTelemetry integration with Amazon X-Ray

The Amazon ECS integration with Amazon Distro for OpenTelemetry requires that you create a task IAM role and specify the role in your task definition. We recommend that the Amazon Distro for OpenTelemetry sidecar also be configured to route container logs to CloudWatch Logs which requires a task execution IAM role be created and specified in your task definition as well. The Amazon ECS console takes care of the task execution IAM role on your behalf, but the task IAM role must be created manually. For more information about creating a task execution IAM role, see Amazon ECS task execution IAM role.

Important

If you're also collecting application metrics using the Amazon Distro for OpenTelemetry integration, ensure your task IAM role also contains the permissions necessary for that integration. For more information, see Correlate Amazon ECS application performance using application metrics.

To create the service role for Elastic Container Service (IAM console)
  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane of the IAM console, choose Roles, and then choose Create role.

  3. For Trusted entity type, choose Amazon Web Service.

  4. For Service or use case, choose Elastic Container Service, and then choose the Elastic Container Service Task use case.

  5. Choose Next.

  6. In the Add permissions section, search for AWSDistroOpenTelemetryPolicyForXray, then select the policy.

  7. (Optional) Set a permissions boundary. This is an advanced feature that is available for service roles, but not service-linked roles.

    1. Open the Set permissions boundary section, and then choose Use a permissions boundary to control the maximum role permissions.

      IAM includes a list of the Amazon managed and customer-managed policies in your account.

    2. Select the policy to use for the permissions boundary.

  8. Choose Next.

  9. Enter a role name or a role name suffix to help you identify the purpose of the role.

    Important

    When you name a role, note the following:

    • Role names must be unique within your Amazon Web Services account, and can't be made unique by case.

      For example, don't create roles named both PRODROLE and prodrole. When a role name is used in a policy or as part of an ARN, the role name is case sensitive, however when a role name appears to customers in the console, such as during the sign-in process, the role name is case insensitive.

    • You can't edit the name of the role after it's created because other entities might reference the role.

  10. (Optional) For Description, enter a description for the role.

  11. (Optional) To edit the use cases and permissions for the role, in the Step 1: Select trusted entities or Step 2: Add permissions sections, choose Edit.

  12. (Optional) To help identify, organize, or search for the role, add tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM resources in the IAM User Guide.

  13. Review the role, and then choose Create role.