AWS ECS Fargate Task cannot pull secrets from SSM

Question

I'm bootstrapping an ECS Cluster with AWS CDK. I created SecureStrings in SSM which I want to pass to the container secrets.

But when starting the service I get the following error message on the task:

"ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secrets from ssm: service call has been retried 1 time(s): AccessDeniedException: User: arn:aws:sts::<ACCOUNT_ID>:assumed-role..."

The task runs in a private VPC, so I attached a VPC endpoint for service name com.amazonaws.eu-central-1.ssm to the VPC (both subnets). I also created a security group that allows TCP 443 INBOUND from 0.0.0.0/0 and attached that security group to the VPC endpoint.

I have no clue what I should do for troubleshooting.

score 2 · Accepted Answer · answered Jun 07 '21 at 14:07

2

The fact you are getting an access denied may mean you don't have the proper permissions specified in the Task role. Check out the considerations listed here.

answered Jun 07 '21 at 14:07

mreferre

426
1
5

1

Yes, I was referencing the wrong task execution role in my code -.- – user15013406 Jun 07 '21 at 15:43
1

This is also the error you receive when referencing a non-existing ssm parameter. – MichaelG Feb 23 '22 at 15:02

AWS ECS Fargate Task cannot pull secrets from SSM

1 Answers1