AWS : Using EFS with Fargate/ECS Containers - amazon-web-services

I am attempting to use EFS with Fargate/ECS containers. I have tested the EFS instance using multiple linux instances. I tried to follow the example at https://aws.amazon.com/premiumsupport/knowledge-center/ecs-fargate-mount-efs-containers-tasks/
The container throws this error.
Resourceinitializationerror: failed to invoke EFS utils commands to set up EFS volumes: stderr: b'mount.nfs4: access denied by server while mounting 127.0.0.1:/' : unsuccessful EFS utils command execution; code: 32
The EFS SecurityGroup :
Inbound:
TCP--2049--10.0.0.0/16 (VPC CIDR)
All--All--sg-0bd22... (Container SG ID)
Outbound:
All--All--0.0.0.0/0
The Container SecurityGroup
Inbound:
All--All--0.0.0.0/0
Outbound:
All--All--0.0.0.0/0
This is my task definition:
{
"ipcMode": null,
"executionRoleArn": "arn:aws:iam::327425660322:role/ecsTaskExecutionRole",
"containerDefinitions": [
{
"dnsSearchDomains": null,
"environmentFiles": null,
"logConfiguration": {
"logDriver": "awslogs",
"secretOptions": null,
"options": {
"awslogs-group": "/ecs/prefetch",
"awslogs-region": "us-east-2",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint": null,
"portMappings": [
{
"hostPort": 80,
"protocol": "tcp",
"containerPort": 80
}
],
"command": null,
"linuxParameters": null,
"cpu": 0,
"environment": [],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [
{
"readOnly": null,
"containerPath": "/usr/share/nginx/html",
"sourceVolume": "efs-html"
}
],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": 128,
"memoryReservation": null,
"volumesFrom": [],
"stopTimeout": null,
"image": "nginx",
"startTimeout": null,
"firelensConfiguration": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "nginx"
}
],
"memory": "512",
"taskRoleArn": null,
"family": "efs-tutorial",
"pidMode": null,
"requiresCompatibilities": [
"FARGATE"
],
"networkMode": "awsvpc",
"runtimePlatform": {
"operatingSystemFamily": "LINUX",
"cpuArchitecture": null
},
"cpu": "256",
"inferenceAccelerators": [],
"proxyConfiguration": null,
"volumes": [
{
"fsxWindowsFileServerVolumeConfiguration": null,
"efsVolumeConfiguration": {
"transitEncryptionPort": null,
"fileSystemId": "fs-0d15c1e9184fffacd",
"authorizationConfig": {
"iam": "DISABLED",
"accessPointId": "fsap-04a23206444492e37"
},
"transitEncryption": "ENABLED",
"rootDirectory": "/"
},
"name": "efs-html",
"host": null,
"dockerVolumeConfiguration": null
}
],
"tags": []
}
I also am using the following policies as the task Execution Role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
And
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricData",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcs",
"ec2:ModifyNetworkInterfaceAttribute",
"elasticfilesystem:Backup",
"elasticfilesystem:ClientRootAccess",
"elasticfilesystem:ClientWrite",
"elasticfilesystem:CreateFileSystem",
"elasticfilesystem:ClientMount",
"elasticfilesystem:CreateMountTarget",
"elasticfilesystem:CreateTags",
"elasticfilesystem:CreateAccessPoint",
"elasticfilesystem:CreateReplicationConfiguration",
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DeleteMountTarget",
"elasticfilesystem:DeleteTags",
"elasticfilesystem:DeleteAccessPoint",
"elasticfilesystem:DeleteFileSystemPolicy",
"elasticfilesystem:DeleteReplicationConfiguration",
"elasticfilesystem:DescribeAccountPreferences",
"elasticfilesystem:DescribeBackupPolicy",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeFileSystemPolicy",
"elasticfilesystem:DescribeLifecycleConfiguration",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DescribeReplicationConfigurations",
"elasticfilesystem:DescribeTags",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:ModifyMountTargetSecurityGroups",
"elasticfilesystem:PutAccountPreferences",
"elasticfilesystem:PutBackupPolicy",
"elasticfilesystem:PutLifecycleConfiguration",
"elasticfilesystem:PutFileSystemPolicy",
"elasticfilesystem:UpdateFileSystem",
"elasticfilesystem:TagResource",
"elasticfilesystem:UntagResource",
"elasticfilesystem:ListTagsForResource",
"elasticfilesystem:Restore",
"kms:DescribeKey",
"kms:ListAliases"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"elasticfilesystem.amazonaws.com"
]
}
}
}
]
}

There are two things you need to fix:
The IAM permissions for EFS access need to be on the ECS Task Role, not the ECS Execution Role.
You need to enable IAM permission usage on the access point connection settings. You currently have this disabled "iam": "DISABLED",. That means that all the IAM permissions you are trying to set are being ignored, and only the EFS volume's resource policy is being evaluated.

Related

ECS Task Denied access to S3 ENV file

I found a couple of posts like this one which I thought would solve my issue for me but I am still getting the failed to download env file error.
My workflow:
ECS Cluster running a FARGATE task definition
Task definition: network mode awsvpc on Linux OS. Has a role with AmazonECSTaskExecutionRolePolicy and this in-line policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Envfile",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/docker-assets/.env"
},
{
"Sid": "EnvFolder",
"Effect": "Allow",
"Action": "s3:GetBucketLocation",
"Resource": "arn:aws:s3:::my-bucket/docker-assets"
}
]
}
ECS Task Definition:
{
"ipcMode": null,
"executionRoleArn": "arn:aws:iam::my-account:role/ecsTaskExecutionRole",
"containerDefinitions": [
{
"dnsSearchDomains": null,
"environmentFiles": [
{
"value": "arn:aws:s3:::my-bucket/docker-assets/.env",
"type": "s3"
}
],
"logConfiguration": {
"logDriver": "awslogs",
"secretOptions": null,
"options": {
"awslogs-group": "/ecs/My-Task",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint": null,
"portMappings": [
{
"hostPort": 3000,
"protocol": "tcp",
"containerPort": 3000
}
],
"command": null,
"linuxParameters": null,
"cpu": 0,
"environment": [],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": null,
"volumesFrom": [],
"stopTimeout": null,
"image": "my-account.dkr.ecr.us-east-1.amazonaws.com/my-app-v1:v1",
"startTimeout": null,
"firelensConfiguration": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "my-app"
}
],
"placementConstraints": [],
"memory": "512",
"taskRoleArn": "arn:aws:iam::my-account:role/ecsTaskExecutionRole",
"compatibilities": [
"EC2",
"FARGATE"
],
"taskDefinitionArn": "arn:aws:ecs:us-east-1:my-account:task-definition/My-Task:5",
"family": "My-Task",
"requiresAttributes": [
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.execution-role-awslogs"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.ecr-auth"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.env-files.s3"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.task-iam-role"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.execution-role-ecr-pull"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.task-eni"
}
],
"pidMode": null,
"requiresCompatibilities": [
"FARGATE"
],
"networkMode": "awsvpc",
"runtimePlatform": null,
"cpu": "256",
"revision": 5,
"status": "ACTIVE",
"inferenceAccelerators": null,
"proxyConfiguration": null,
"volumes": []
}
The task definition also lists the s3 ARN of the env file.
I am running with a default VPC and subnet
The automatic IP is enabled
My s3 bucket was created with block all public access
Please let me know if any further information might required to help with the answer. Thanks in Advance.
I updated my ecsTaskExecutionRole's in-line policy to cover the bucket (with and without slash) and everything under it. This seemed to work:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my-bucket/docker-assets/.env"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/",
"arn:aws:s3:::my-bucket/*"
]
}
]
}

AWS ECS FARGATE - unable to pull image from docker private repository

I'm trying to create an ECS Cluster with a task pulling image from my private docker repository.
I created a secret in AWS SecretsManager.
I created policy with following parameters.
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:eu-west-1:123456789:secret:docker_private_repo-123456"
I added new policy to "ecsTaskExecutionRole" that is created by ECS Task Definition process.
But unfortunately, task always stopped.
I tried to do everything in following tutorials.
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html
https://aws.amazon.com/blogs/compute/introducing-private-registry-authentication-support-for-aws-fargate/
I'm getting this error.
"Stopped reason ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to get registry auth from asm: service call has been retried 1 time(s): unable to unmarshal secret value of authorization data from asm: i..."
Launch type FARGATE
Platform version 1.4.0
Can anyone help me, please.
Thank you..
Task Definition:
{
"ipcMode": null,
"executionRoleArn": "arn:aws:iam::123456789:role/ecsTaskExecutionRole",
"containerDefinitions": [
{
"dnsSearchDomains": null,
"environmentFiles": null,
"logConfiguration": {
"logDriver": "awslogs",
"secretOptions": null,
"options": {
"awslogs-group": "/ecs/WebFTask",
"awslogs-region": "eu-west-1",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint": null,
"portMappings": [
{
"hostPort": 80,
"protocol": "tcp",
"containerPort": 80
}
],
"command": null,
"linuxParameters": null,
"cpu": 0,
"environment": [],
"resourceRequirements": null,
"ulimits": null,
"repositoryCredentials": {
"credentialsParameter": "arn:aws:secretsmanager:eu-west-1:123456789:secret:docker_private_repo-123456"
},
"dnsServers": null,
"mountPoints": [],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": 512,
"volumesFrom": [],
"stopTimeout": null,
"image": "docker.io/username/imageName:latest",
"startTimeout": null,
"firelensConfiguration": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "WebContariner"
}
],
"placementConstraints": [],
"memory": "2048",
"taskRoleArn": "arn:aws:iam::123456789:role/ecsTaskExecutionRole",
"compatibilities": [
"EC2",
"FARGATE"
],
"taskDefinitionArn": "arn:aws:ecs:eu-west-1:123456789:task-definition/WebFTask:6",
"family": "WebFTask",
"requiresAttributes": [
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.execution-role-awslogs"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.private-registry-authentication.secretsmanager"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.21"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.task-iam-role"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.task-eni"
}
],
"pidMode": null,
"requiresCompatibilities": [
"FARGATE"
],
"networkMode": "awsvpc",
"cpu": "1024",
"revision": 6,
"status": "ACTIVE",
"inferenceAccelerators": null,
"proxyConfiguration": null,
"volumes": []
}
ecsTaskExecutionRole:
Policy 1:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
Policy 2:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:eu-west-1:123456789:secret:docker_private_repo-123456c"
}
]
}
Your task definition shows lack of task role:
"taskRoleArn": null,
Seems you created it, but you haven't assigned it to the task.

UnrecognizedClientException in AWS fargate

I try to deploy a fargate container in AWS ECS. But I get the following error
error getting rds cred staging/tas:
{
"message": "The security token included in the request is invalid",
"code": "UnrecognizedClientException",
"time": "2020-06-07T06:10:17.324Z",
"requestId": "5a3287f8-8c7b-49f9-b346-9239840f05bd",
"statusCode": 400,
"retryable": false,
"retryDelay": 7.012616197026311
}
as I am using the fargate, the next thing is I check the task role and the task execution role. They use the same IAM which uses the AmazonECSTaskExecutionRolePolicy
{
"Statement": [
{
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents",
"secretsmanager:GetSecretValue"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
as requested i add in the task definition
{
"ipcMode": null,
"executionRoleArn": "arn:aws-cn:iam::xxxyyyeeezzz:role/tas-common-resource-ECSTaskExecutionRole-ZEATKLAUUDV8",
"containerDefinitions": [
{
"dnsSearchDomains": [],
"environmentFiles": null,
"logConfiguration": {
"logDriver": "awslogs",
"secretOptions": [],
"options": {
"awslogs-group": "TASStagingLogs",
"awslogs-region": "cn-north-1",
"awslogs-stream-prefix": "web-app-staging"
}
},
"entryPoint": [],
"portMappings": [
{
"hostPort": 8000,
"protocol": "tcp",
"containerPort": 8000
}
],
"command": [
"npm",
"start"
],
"linuxParameters": null,
"cpu": 0,
"environment": [
{
"name": "NODE_ENV",
"value": "staging"
},
{
"name": "RDS_SECRET_NAME",
"value": "staging/tas"
}
],
"resourceRequirements": null,
"ulimits": [],
"dnsServers": [],
"mountPoints": [],
"workingDirectory": null,
"secrets": [],
"dockerSecurityOptions": [],
"memory": null,
"memoryReservation": null,
"volumesFrom": [],
"stopTimeout": null,
"image": "xxxyyyeeezzz.dkr.ecr.cn-north-1.amazonaws.com.cn/tas/master-server",
"startTimeout": null,
"firelensConfiguration": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": [],
"hostname": null,
"extraHosts": [],
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": {},
"systemControls": [],
"privileged": null,
"name": "web-app"
}
],
"placementConstraints": [],
"memory": "4096",
"taskRoleArn": "arn:aws-cn:iam::xxxyyyeeezzz:role/tas-common-resource-ECSTaskExecutionRole-ZEATKLAUUDV8",
"compatibilities": [
"EC2",
"FARGATE"
],
"taskDefinitionArn": "arn:aws-cn:ecs:cn-north-1:xxxyyyeeezzz:task-definition/master-web-staging-WebTaskDef-ZE50JXHI06U1:1",
"family": "master-web-staging-WebTaskDef-ZE50JXHI06U1",
"requiresAttributes": [
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.execution-role-awslogs"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.ecr-auth"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.17"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.task-iam-role"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.execution-role-ecr-pull"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.task-eni"
}
],
"pidMode": null,
"requiresCompatibilities": [
"EC2",
"FARGATE"
],
"networkMode": "awsvpc",
"cpu": "2048",
"revision": 1,
"status": "ACTIVE",
"inferenceAccelerators": null,
"proxyConfiguration": null,
"volumes": []
}
But it has read access to all resources in secretsmanager, so i wonder what could have gone wrong. Please help. thanks
Hi the problem has been fixed. The issue is that the region is wrong. It is hardcoded in the app as ap-southeast-1 but the app was deployed in cn-north-1

AWS ECS Task - Cannot override CPU

i am trying to override the CPU Units for a ECS Task in the RunTask method of the SDK.
Task Definition
{
"ipcMode": null,
"executionRoleArn": "arn:aws:iam::111459517389:role/ecsTaskExecutionRole",
"containerDefinitions": [
{
...,
"portMappings": [
{
"hostPort": 80,
"protocol": "tcp",
"containerPort": 80
},
...
],
"command": null,
"linuxParameters": null,
"cpu": 256, # CONTAINER CPU Units (default)
"environment": [
{
"name": "ECS_IMAGE_PULL_BEHAVIOR",
"value": "prefer-cached"
}
],
"ulimits": null,
...
"name": "some-job-container"
}
],
"placementConstraints": [],
"memory": "8192", # TASK SIZE
"taskRoleArn": "arn:aws:iam::111459517389:role/ecsTaskExecutionRole",
"compatibilities": [
"EC2",
"FARGATE"
],
"taskDefinitionArn": "arn:aws:ecs:eu-west-3:111459517389:task-definition/some-definition:7",
"family": "some-job-dev",
"requiresAttributes": [
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
},
...
],
"pidMode": null,
"requiresCompatibilities": [
"FARGATE"
],
"networkMode": "awsvpc",
"cpu": "4096", # TASK SIZE
"revision": 7,
"status": "ACTIVE",
"inferenceAccelerators": null,
"proxyConfiguration": null,
"volumes": []
}
And here's the RunTask parameters
{
"taskDefinition":"some-job-dev",
"cluster":"some-cluster",
"overrides":{
"containerOverrides":[
{
"name":"some-job-container",
"command":[
"kosmos",
"segmentation-queue"
],
"cpu":4092,
"memory":8192
}
]
},
"networkConfiguration":{
"awsvpcConfiguration":{
"assignPublicIp":"ENABLED",
"subnets":[
"subnet-789",
"subnet-456",
"subnet-123"
]
}
}
}
When i run a task with these parameters, the memory of the container gets correctly overridden, but not the CPU.
I am following the ECS Documentation and still it doesn't work, am i missing something here ?
Notes:
My task launch type is Fargate
I had a similar issue, and its intermittent. Were you able to solve it?
I see you are passing values as an int, for me specifying them as a string helped.

ECS Fargate Service - who needs to access KMS for Secrets?

I;m trying to setup ECS Service that will run single task with MySQL and Webserver. I'd like to inject some runtime parameters as environmental variables from SSM Parameter Store. Some of them will be plain text but some will be encrypted with KMS. So suppose I have following task definition:
{
"ipcMode": null,
"executionRoleArn": "arn:aws:iam::657433956652:role/ecsTaskExecutionRole",
"containerDefinitions": [
{
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/ecs/wordpress-test",
"awslogs-region": "eu-central-1",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint": null,
"portMappings": [
{
"hostPort": 80,
"protocol": "tcp",
"containerPort": 80
}
],
"memoryReservation": 512,
"name": "wordpress"
},
{
"dnsSearchDomains": null,
"logConfiguration": {
"logDriver": "awslogs",
"secretOptions": null,
"options": {
"awslogs-group": "/ecs/wordpress-test",
"awslogs-region": "eu-central-1",
"awslogs-stream-prefix": "ecs"
}
},
"secrets": [
{
"valueFrom": "arn:aws:ssm:eu-central-1:657433956652:parameter/project/dev/db.connection.default.password",
"name": "MYSQL_ROOT_PASSWORD"
}
],
"memoryReservation": 512,
"name": "mysql"
}
],
"placementConstraints": [],
"memory": "1024",
"taskRoleArn": "arn:aws:iam::657433956652:role/ecsTaskExecutionRole",
"compatibilities": [
"FARGATE"
],
"taskDefinitionArn": "arn:aws:ecs:eu-central-1:657433956652:task-definition/wordpress-test:1",
"family": "wordpress-test",
"networkMode": "awsvpc",
"cpu": "512",
}
The question is: which role should receive access to read SSM Parameter Store and key used for encrypting SecureStrings parameters? Should it be Service, Cluster or maybe even Pipeline that actually creates the service dynamically?
Your ecsTaskExecutionRole should have permission to access SSM Parameter.
Create an inline policy and attach that policy to the arn:aws:iam::657433956652:role/ecsTaskExecutionRole
From documentation sample,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"secretsmanager:GetSecretValue",
"kms:Decrypt"
],
"Resource": [
"arn:aws:ssm:<region>:<aws_account_id>:parameter/parameter_name",
"arn:aws:secretsmanager:<region>:<aws_account_id>:secret:secret_name",
"arn:aws:kms:<region>:<aws_account_id>:key/key_id"
]
}
]
}
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html#secrets-iam