quaint-guitar-13446
08/20/2020, 4:14 AMFetching secret data from SSM Parameter Store in ap-southeast-2: AccessDeniedException: User: <...> is not authorized to perform: ssm:GetParameters on resource: <...> status code: 400, request id: f13766c0-3c7b-46c7-9a34-5dd3b12f0e86
nice-airport-15607
08/20/2020, 5:03 AMquaint-guitar-13446
08/20/2020, 6:10 AMnice-airport-15607
08/20/2020, 6:41 AMassumeRolePolicy
in https://www.pulumi.com/docs/reference/pkg/aws/lambda/permission/#basic-example
should look something like
[
{
"Action": [
"ssm:GetParametersByPath",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:${region}:${accountId}:*",
"arn:aws:ssm:${region}:${accountId}:parameter:*",
"arn:aws:secretsmanager:${region}:${accountId}:secret:*"
]
}, {
"Action": [
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource":[
"arn:aws:secretsmanager:${region}:${accountId}:*",
"arn:aws:secretsmanager:${region}:${accountId}:secret:*"
]
}
]
for you…quaint-guitar-13446
08/20/2020, 6:52 AMnice-airport-15607
08/20/2020, 7:04 AMquaint-guitar-13446
08/20/2020, 7:25 AMexecutionRole
on the taskDefinitionArgs
for the fargate service.
The role is basically the ecs-tasks assumed role, with AmazonECSTaskExecutionRolePolicy
and AmazonSSMReadOnlyAccess
policies attached