I'm trying to pass ssm Parameters to Fargate and i...
# awsq
quaint-guitar-13446
08/20/2020, 4:14 AMI'm trying to pass ssm Parameters to Fargate and it's throwing the following error while provisioning:
Copy code
Fetching secret data from SSM Parameter Store in ap-southeast-2: AccessDeniedException: User: <...> is not authorized to perform: ssm:GetParameters on resource: <...> status code: 400, request id: f13766c0-3c7b-46c7-9a34-5dd3b12f0e86n
nice-airport-15607
08/20/2020, 5:03 AMhave you attached the ssm parameter policy to fargate? i haven’t used it, but if its the same as lambdas, you have to attach the policy to allow fargate to do things in the store…
👍 1
q
quaint-guitar-13446
08/20/2020, 6:10 AMSo I attach that in Pulumi?
quaint-guitar-13446
08/20/2020, 6:10 AMTo be clear, I haven't.
n
nice-airport-15607
08/20/2020, 6:41 AMif you notice the
assumeRolePolicy Copy code
[
{
"Action": [
"ssm:GetParametersByPath",
"ssm:GetParameter"
],
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:${region}:${accountId}:*",
"arn:aws:ssm:${region}:${accountId}:parameter:*",
"arn:aws:secretsmanager:${region}:${accountId}:secret:*"
]
}, {
"Action": [
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource":[
"arn:aws:secretsmanager:${region}:${accountId}:*",
"arn:aws:secretsmanager:${region}:${accountId}:secret:*"
]
}
]q
quaint-guitar-13446
08/20/2020, 6:52 AMThank you
quaint-guitar-13446
08/20/2020, 6:53 AMThe next thing I'm unclear of is to what object I need to attach the role. Is it on the service, or the cluster?
n
nice-airport-15607
08/20/2020, 7:04 AMI’m not really sure, like i said, i’ve never used fargate with pulumi. sorry dude.
q
quaint-guitar-13446
08/20/2020, 7:25 AMAll good. Thanks
👍 1
quaint-guitar-13446
08/20/2020, 11:53 PMI was able to resolve this. I had to set the
executionRoletaskDefinitionArgsAmazonECSTaskExecutionRolePolicyAmazonSSMReadOnlyAccess127 Views