I'm trying to pass ssm Parameters to Fargate and i...
# aws
q
I'm trying to pass ssm Parameters to Fargate and it's throwing the following error while provisioning:
Copy code
Fetching secret data from SSM Parameter Store in ap-southeast-2: AccessDeniedException: User: <...> is not authorized to perform: ssm:GetParameters on resource: <...> status code: 400, request id: f13766c0-3c7b-46c7-9a34-5dd3b12f0e86
n
have you attached the ssm parameter policy to fargate? i haven’t used it, but if its the same as lambdas, you have to attach the policy to allow fargate to do things in the store…
👍 1
q
So I attach that in Pulumi?
To be clear, I haven't.
n
if you notice the
assumeRolePolicy
in https://www.pulumi.com/docs/reference/pkg/aws/lambda/permission/#basic-example should look something like
Copy code
[
{
      "Action": [
        "ssm:GetParametersByPath",
        "ssm:GetParameter"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:ssm:${region}:${accountId}:*",
        "arn:aws:ssm:${region}:${accountId}:parameter:*",
        "arn:aws:secretsmanager:${region}:${accountId}:secret:*"
      ]
    }, {
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Effect": "Allow",
      "Resource":[
        "arn:aws:secretsmanager:${region}:${accountId}:*",
        "arn:aws:secretsmanager:${region}:${accountId}:secret:*"
      ]
    }
]
for you…
q
Thank you
The next thing I'm unclear of is to what object I need to attach the role. Is it on the service, or the cluster?
n
I’m not really sure, like i said, i’ve never used fargate with pulumi. sorry dude.
q
All good. Thanks
👍 1
I was able to resolve this. I had to set the
executionRole
on the
taskDefinitionArgs
for the fargate service. The role is basically the ecs-tasks assumed role, with
AmazonECSTaskExecutionRolePolicy
and
AmazonSSMReadOnlyAccess
policies attached
120 Views