aws ecs fargate can't fetch secret manager

Hide picture Hide · Apr 8, 2019 · Viewed 7.3k times · Source

I'm using AWS ECS service for orchestrate my docker container.

Also used Secret Manager for stored and retrieve personal information.

I apply SecretsManagerReadWrite policy to my ecsTaskExecutionRole and ecsServiceRole.

Before using Fargate, I just used ECS with EC2.

And it works fine.

But in fargate, it throw NoCredentialsError

I fetched to secret manager via python script that made with boto3. (https://docs.aws.amazon.com/ko_kr/code-samples/latest/catalog/python-secretsmanager-secrets_manager.py.html)

Is there any solution here?

Thanks.


CUSTOM Permission

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "secretsmanager:GetSecretValue",
                "ssm:GetParameters"
            ],
            "Resource": "*"
        }
    ]
}

Answer

Sébastien Stormacq picture Sébastien Stormacq · Apr 8, 2019

Be sure that the IAM policy you applied has the following permissions :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:GetParameters",
        "secretsmanager:GetSecretValue",
        "kms:Decrypt"
      ],
      "Resource": [
        "arn:aws:ssm:<region>:<aws_account_id>:parameter/parameter_name",
        "arn:aws:secretsmanager:<region>:<aws_account_id>:secret:secret_name",
        "arn:aws:kms:<region>:<aws_account_id>:key/key_id"
      ]
    }
  ]
}

Also, be sure that you are using Fargate 1.3.0 (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform_versions.html)

But I would try something else to reduce the amount of code. Since Nov 2018, it is not necessary to write your own code to fetch secrets from Secret Manager. ECS/Fargate can do it for you. Just give ECS the permission to access your secret and give the secret ARN in the task definition. ECS/Fargate will assign the secret to the environment variable. Your code just need to read the environment variable as usual.

For example :

"containerDefinitions": [
    {
        "secrets": [
            {
                "name": "environment_variable_name",
                "valueFrom": "arn:aws:ssm:region:aws_account_id:parameter/parameter_name"
            }
        ]
    }
]

Doc is here : https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html