No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

have you attached the ssm parameter policy to fargate? i haven’t used it, but if its the same as lambdas, you have to attach the policy to allow fargate to do things in the store…

if you notice the `assumeRolePolicy` in <https://www.pulumi.com/docs/reference/pkg/aws/lambda/permission/#basic-example>

should look something like
```[
{
      "Action": [
        "ssm:GetParametersByPath",
        "ssm:GetParameter"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:ssm:${region}:${accountId}:*",
        "arn:aws:ssm:${region}:${accountId}:parameter:*",
        "arn:aws:secretsmanager:${region}:${accountId}:secret:*"
      ]
    }, {
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Effect": "Allow",
      "Resource":[
        "arn:aws:secretsmanager:${region}:${accountId}:*",
        "arn:aws:secretsmanager:${region}:${accountId}:secret:*"
      ]
    }
]```
for you…

The next thing I'm unclear of is to what object I need to attach the role. Is it on the service, or the cluster?

I’m not really sure, like i said, i’ve never used fargate with pulumi. sorry dude.

I was able to resolve this. I had to set the `executionRole` on the `taskDefinitionArgs` for the fargate service.

The role is basically the ecs-tasks assumed role, with `AmazonECSTaskExecutionRolePolicy` and `AmazonSSMReadOnlyAccess` policies attached