I want to troubleshoot issues with Amazon Elastic Container Service (Amazon ECS) task tags.
Resolution
When you set task tags with Amazon ECS, you might experience the following issues:
- Your tags aren't propagated from service or task definition to tasks.
- You use an outdated ARN and resource ID format for your tags.
- Because of missing AWS Identity and Access Management (IAM) permissions or tag restrictions, you can't add tags to your ECS resources.
- You can't see ECS tags on the AWS Billing dashboard.
To troubleshoot these issues, complete the following tasks.
Use the PropagateTags parameter to propagate from service or task definitions to tasks
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
The PropagateTags parameter isn't turned on by default. To copy tags from the task definition or service to the task, turn on the parameter. You can copy tags when you run a task, create a service, or update a service.
To check if the PropagateTags is turned on in a specific service, run the following command in the AWS CLI:
aws ecs describe-services --services <servicename> --cluster <clustername> --region <region> --query 'services[*].propagateTags' --output text
Note: Replace servicename, clustername, and region with your values.
To use the AWS CLI to configure tags to propagate from the service or task definition, run the run-task, create-service, and update-service commands.
To use the console to turn on tag propagation, complete the following steps:
- Open the Amazon ECS console.
- Select the AWS Region for your ECS resource.
- In the navigation pane, choose Task Definitions.
- Select the task definition from the resource list, and then choose Actions.
- Choose Create Service or Run Task.
- In the Task tagging configuration, choose Service or Task definitions.
Note: The default option is Do not propagate.
To use the AWS CLI to update tag propagation for an existing service, run the following command:
aws ecs update-service --cluster <clustername> --service <servicename> --propagate-tags <SERVICE/TASK_DEFINITION> --force-new-deployment
To use AWS CloudFormation to configure tags in ECS, you must declare the AWS::ECS::Service resource. To declare AWS::ECS::Service, use the EnableECSManagedTags and PropagateTags properties with the SERVICE or TASK_DEFINITION value.
Note:
- To use ECS property-related service tags after you create a stack in CloudFormation, you must update your stack and resource replacement. The update deletes and recreates the service through CloudFormation.
- You can access the same configurations for scheduled tasks that you can for tasks directly launched from the Amazon ECS RunTask API.
Use the new ARN format
To tag Amazon ECS resources, you must use the new ARN and ID formats. To migrate your ECS deployment to the new ARN and resource ID format, see Migrating your Amazon ECS deployment to the new ARN and resource ID format.
Note: Your existing resources don't receive the new ARN format until the resources are recreated.
Verify that the IAM entity has the required permissions and check tags restrictions
If you can't add tags to your ECS service, then complete the following steps:
- Check AWS CloudTrail events for TagResource events.
- Review the events for one of the following error messages:
"AccessDenied"
"The tags cannot be updated at this time. Wait a few minutes and try again"
If you find one of the preceding errors, then the IAM entity doesn't have the ecs:TagResource permissions.
- Use either the IAM console or the AWS CLI to add the ecs:TagResource permissions to the IAM entities.
- Try to add the tags to the ECS cluster again.
- Confirm that your ECS tags are within the tag restrictions.
Check if you have an AWS Billing and Cost Management issue
To verify that the required tags are on ECS tasks level, run the list-tags-for-resource command:
aws ecs list-tags-for-resource --resource-arn <value>
Note: Replace value with your ARN.
To use the console to verify that the required tags are on ECS tasks, complete the following steps:
- Open the Amazon ECS console.
- Select the Region for your ECS resource.
- In the navigation pane, select a resource type, such as Clusters.
- Select the resource from the resource list, and then choose Tags. If tags exist, then the tags are listed.
If you're looking for managed tags, then turn on ECS managed tags. To check that ECS managed tags is turned on, run the following command:
aws ecs describe-services --services <servicename> --cluster <clustername> --region <region> --query 'services[*].enableECSManagedTags' --output text
Note: Replace servicename, clustername, and region with your values.
The command's output contains the enableECSManagedTags value.
To use the console to turn on ECS managed tags, complete the following steps:
- Open the Amazon ECS console.
- Select the Region for your ECS resource.
- In the navigation pane, select Task Definitions.
- Select the task definition from the resource list, and then choose Actions.
- Choose Create Service or Run Task.
- In the Task tagging configuration, choose Enable ECS managed tags.
To use the AWS CLI to turn on ECS managed tags, run the update-service command:
aws ecs update-service --cluster <clustername> --service <servicename> --enable-ecs-managed-tags --force-new-deployment
Tags that you use for billing might be listed, but you don't see the tags in AWS Cost Explorer. To resolve this issue, activate your cost-allocation tags in the Billing and Cost Management console.
Note: It can take up to 24 hours for tags to activate.
Related information
Amazon ECS troubleshooting
Tagging Amazon ECS resources