aws ecs fargate can't fetch secret manager

amazon-web-services amazon-ecs aws-fargate secret-manager
Hide picture Hide · Apr 8, 2019 · Viewed 7.3k times · Source

I'm using AWS ECS service for orchestrate my docker container.

Also used Secret Manager for stored and retrieve personal information.

I apply SecretsManagerReadWrite policy to my ecsTaskExecutionRole and ecsServiceRole.

Before using Fargate, I just used ECS with EC2.

And it works fine.

But in fargate, it throw NoCredentialsError

I fetched to secret manager via python script that made with boto3. (https://docs.aws.amazon.com/ko_kr/code-samples/latest/catalog/python-secretsmanager-secrets_manager.py.html)

Is there any solution here?

Thanks.

CUSTOM Permission

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "secretsmanager:GetSecretValue",
                "ssm:GetParameters"
            ],
            "Resource": "*"
        }
    ]
}

Answer

Sébastien Stormacq picture Sébastien Stormacq · Apr 8, 2019

Be sure that the IAM policy you applied has the following permissions :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:GetParameters",
        "secretsmanager:GetSecretValue",
        "kms:Decrypt"
      ],
      "Resource": [
        "arn:aws:ssm:<region>:<aws_account_id>:parameter/parameter_name",
        "arn:aws:secretsmanager:<region>:<aws_account_id>:secret:secret_name",
        "arn:aws:kms:<region>:<aws_account_id>:key/key_id"
      ]
    }
  ]
}

Also, be sure that you are using Fargate 1.3.0 (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform_versions.html)

But I would try something else to reduce the amount of code. Since Nov 2018, it is not necessary to write your own code to fetch secrets from Secret Manager. ECS/Fargate can do it for you. Just give ECS the permission to access your secret and give the secret ARN in the task definition. ECS/Fargate will assign the secret to the environment variable. Your code just need to read the environment variable as usual.

For example :

"containerDefinitions": [
    {
        "secrets": [
            {
                "name": "environment_variable_name",
                "valueFrom": "arn:aws:ssm:region:aws_account_id:parameter/parameter_name"
            }
        ]
    }
]

Doc is here : https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html

Related questions

AWS Secrets Manager can’t find the specified secret

I'm using AWS Fargate and storing sensitive data with Secrets Manager. Task definition should get environment variables from secrets store - name: "app" image: "ecr-image:tag" essential: true secrets: - name: "VAR1" valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-one-secret" - …

Read More
ECS task not starting - STOPPED (CannotPullContainerError: “Error response from daemon request canceled while waiting for connection”

I'm starting a task in ECS using Fargate and after being in PENDING for a little bit it ends up in STOPPED with the following error: STOPPED (CannotPullContainerError: "Error response from daem When I expand out the details I see …

Read More
AWS ECS Fargate and port mapping

I have two containers and they expose the same port. I want to run them in the same task as they are part of the same system. But I cannot do this with Fargate because there are no port mapping …

Read More