Regression in amazon/aws-for-fluent-bit:stable (2.34.0) — startup fails with "section 'env' is missing the 'name' property" #1002
Description
Describe the question/issue
After the amazon/aws-for-fluent-bit:stable image updated, our previously working ECS FireLens sidecar started failing at startup with:
[2025/09/23 15:06:54] [error] [config] section 'env' is missing the 'name' property
[2025/09/23 15:06:54] [error] configuration file contains errors, aborting.
No configuration changes were made on our side between the working and failing runs. Pinning the image back to a previous version restores normal operation.
Works: amazon/aws-for-fluent-bit:2.33.0.20250731
Fails: amazon/aws-for-fluent-bit:stable (e.g. digest sha256:c48197722e757505a33e8da08fc7833ff355c95e34817601eb0829097596afba)
On the failing image, startup logs show:
AWS for Fluent Bit Container Image Version 2.34.0
Fluent Bit v1.9.10
It looks like the newer image interprets or injects an env/[ENV] section despite our config not having such a block, causing the strict validation error.
Configuration
ECS Task Definition (sidecar excerpt)
{
"cpu": 0,
"environment": [],
"essential": true,
"firelensConfiguration": {
"options": {
"config-file-type": "file",
"config-file-value": "/fluent-bit/configs/parse-json.conf",
"enable-ecs-log-metadata": "true"
},
"type": "fluentbit"
},
"image": "amazon/aws-for-fluent-bit:stable",
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/aws/ecs/atlantis",
"awslogs-create-group": "true",
"awslogs-region": "eu-west-1",
"awslogs-stream-prefix": "axiom-ingester"
}
},
"memoryReservation": 50,
"name": "fluentbit",
"readonlyRootFilesystem": true,
"startTimeout": 30,
"stopTimeout": 120,
"user": "0"
}How the sidecar is deployed (Terraform snippet)
container_definitions = {
fluentbit = {
essential = true
image = "amazon/aws-for-fluent-bit:stable"
cpu = 0
memory_reservation = 50
log_configuration = {
logDriver = "awslogs"
options = {
awslogs-create-group = "true"
awslogs-group = "/aws/ecs/atlantis"
awslogs-region = var.region
awslogs-stream-prefix = "axiom-ingester"
}
}
firelens_configuration = {
type = "fluentbit"
options = {
enable-ecs-log-metadata = "true"
config-file-type = "file"
config-file-value = "/fluent-bit/configs/parse-json.conf"
}
}
}
}App container logs → FireLens output (Terraform excerpt)
The main application container uses the awsfirelens log driver to ship logs to Axiom via HTTP:
log_configuration = {
logDriver = "awsfirelens"
options = {
Name = "http"
Host = "api.eu.axiom.co"
Port = "443"
URI = "/v1/datasets/atlantis/ingest"
format = "json"
json_date_key = "_time"
json_date_format = "iso8601"
tls = "On"
}
secretOptions = [
{
name = "Header Authorization"
valueFrom = data.aws_secretsmanager_secret_version.axiom_ingest_token.arn
}
]
}Fluent Bit configuration file path
We point FireLens at /fluent-bit/configs/parse-json.conf. We did not change this file between the working and failing deployments. (If relevant: we don’t deliberately include an [ENV] block in this file.)
Fluent Bit Log Output
Key lines:
2025-09-23T15:06:54.399Z AWS for Fluent Bit Container Image Version 2.34.0
2025-09-23T15:06:54.486Z Fluent Bit v1.9.10
[2025/09/23 15:06:54] [error] [config] section 'env' is missing the 'name' property
[2025/09/23 15:06:54] [error] configuration file contains errors, aborting.
Fluent Bit Version Info
-
Failing image:
amazon/aws-for-fluent-bit:stable- Digest:
sha256:c48197722e757505a33e8da08fc7833ff355c95e34817601eb0829097596afba - Reports: AWS for Fluent Bit Container Image Version 2.34.0, Fluent Bit v1.9.10
- Digest:
-
Working image:
amazon/aws-for-fluent-bit:2.33.0.20250731(no other changes)
Cluster Details
- Platform: Amazon ECS with FireLens (sidecar)
- Launch type: Fargate
- Runtime platform:
LINUX/ARM64 - Region:
eu-west-1 - Networking: Service behind an ALB; app container sends logs via FireLens to HTTPS endpoint (Axiom). No App Mesh. Standard VPC; no special service mesh.
- Fluent Bit deployment: Sidecar alongside the app task
- Sidecar logs: to CloudWatch Logs (
/aws/ecs/atlantis)
Application Details
- Log volume: low-to-moderate (Atlantis server logs, typically tens of lines per minute under normal load)
- Log format: JSON; delivered via FireLens HTTP output with TLS and an Authorization header sourced from AWS Secrets Manager
Steps to reproduce issue
-
Deploy an ECS task with a Fluent Bit FireLens sidecar using image
amazon/aws-for-fluent-bit:stableand:firelensConfiguration.options.config-file-type=filefirelensConfiguration.options.config-file-value=/fluent-bit/configs/parse-json.confenable-ecs-log-metadata=true
-
Configure the application container to use
logDriver=awsfirelenswith an HTTP output (or any output). -
Start the task.
-
Observe Fluent Bit sidecar logs in CloudWatch:
- Error:
section 'env' is missing the 'name' property - Container exits/aborts.
- Error:
-
Change only the sidecar image to
amazon/aws-for-fluent-bit:2.33.0.20250731. -
Re-run the task; Fluent Bit starts successfully and logs flow normally.
Related Issues
I couldn’t find an existing issue matching this specific regression (implicit/strict parsing of an env block leading to name missing) in aws/aws-for-fluent-bit or fluent/fluent-bit. Please let me know if there’s a known change in 2.34.0 that would cause an env/[ENV] section to be required or auto-injected when config-file-type=file is used with FireLens.
- Fluent Bit core repo: checked for
[ENV]parsing regressions—no obvious match found. - AWS for Fluent Bit repo: release notes mention newer base image and component bumps, but nothing explicitly about
[ENV]behavior (from our cursory review).