I'm using AWS ECS service for orchestrate my docker container.
Also used Secret Manager for stored and retrieve personal information.
I apply SecretsManagerReadWrite
policy to my ecsTaskExecutionRole
and ecsServiceRole
.
Before using Fargate
, I just used ECS with EC2.
And it works fine.
But in fargate
, it throw NoCredentialsError
I fetched to secret manager via python script that made with boto3. (https://docs.aws.amazon.com/ko_kr/code-samples/latest/catalog/python-secretsmanager-secrets_manager.py.html)
Is there any solution here?
Thanks.
CUSTOM Permission
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"secretsmanager:GetSecretValue",
"ssm:GetParameters"
],
"Resource": "*"
}
]
}
Be sure that the IAM policy you applied has the following permissions :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"secretsmanager:GetSecretValue",
"kms:Decrypt"
],
"Resource": [
"arn:aws:ssm:<region>:<aws_account_id>:parameter/parameter_name",
"arn:aws:secretsmanager:<region>:<aws_account_id>:secret:secret_name",
"arn:aws:kms:<region>:<aws_account_id>:key/key_id"
]
}
]
}
Also, be sure that you are using Fargate 1.3.0 (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform_versions.html)
But I would try something else to reduce the amount of code. Since Nov 2018, it is not necessary to write your own code to fetch secrets from Secret Manager. ECS/Fargate can do it for you. Just give ECS the permission to access your secret and give the secret ARN in the task definition. ECS/Fargate will assign the secret to the environment variable. Your code just need to read the environment variable as usual.
For example :
"containerDefinitions": [
{
"secrets": [
{
"name": "environment_variable_name",
"valueFrom": "arn:aws:ssm:region:aws_account_id:parameter/parameter_name"
}
]
}
]
Doc is here : https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html