Hello everyone ! I’m trying to setup a full ecr-fargate-ecs pipeline with Pulumi. I need to pass some secrets stored in secrets manager to my image. I’ve declared a

FargateService

with a

taskDefinitionArgs

and gave it a

taskRole

and

executionRole

with an Role containing the right permissions to retrieve secrets (‘secretsmanager:GetSecretValue’, ‘kms:Decrypt’ and ‘ssm:GetParameters’). But i’m stuck with an error:

RessourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secrets from ssm: service call has been retried 1 times): Invalld ssm parameters

I was unaware that secrets manager uses ssm store parameter under the hood since i have not set any parameter store. Does anyone has any idea to help me figure this ? Thanks in advance 🙏

It looks like perhaps your params/secrets references might not be quite right — can you share that section? Perhaps the correct SSM param ARN string isn’t what’s being stored in the container def block. e.g.

secrets: [
  { name: 'ENV_VAR_NAME', valueFrom: 'arn:aws:ssm:<region>:<account>:parameter/parampath/paramname' }
]

@calm-cat-43230 do i have to pass an ssm arn ? i wanted to pass my secrets manager full arn

Looks ok to me, based on https://docs.aws.amazon.com/AmazonECS/latest/developerguide/secrets-envvar-secrets-manager.html — I’ve not used Secrets Manager, but it seems you can get away without the “default colons” at the end of the ARN, based on that. It does seem like somewhere it’s trying to interpret that as SSM though. Perhaps 1. try to call each of your secrets using the CLI and those ARNs, to ensure they aren’t malformed, and 2. build up your

secrets

block one by one until you hit the one that’s failing?