Score:2

AWS ECS Fargate Task cannot pull secrets from SSM

us flag

I'm bootstrapping an ECS Cluster with AWS CDK. I created SecureStrings in SSM which I want to pass to the container secrets.

But when starting the service I get the following error message on the task:

"ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secrets from ssm: service call has been retried 1 time(s): AccessDeniedException: User: arn:aws:sts::<ACCOUNT_ID>:assumed-role..."

The task runs in a private VPC, so I attached a VPC endpoint for service name com.amazonaws.eu-central-1.ssm to the VPC (both subnets). I also created a security group that allows TCP 443 INBOUND from 0.0.0.0/0 and attached that security group to the VPC endpoint.

I have no clue what I should do for troubleshooting.

Score:2
nl flag

The fact you are getting an access denied may mean you don't have the proper permissions specified in the Task role. Check out the considerations listed here.

user15013406 avatar
us flag
Yes, I was referencing the wrong task execution role in my code -.-
MichaelG avatar
tr flag
This is also the error you receive when referencing a non-existing ssm parameter.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.