botocore.exceptions.NoCredentialsError: Unable to locate credentials in AWS ECS
Question
I have a docker container running in aws fargate. It needs to access parameter store to fetch some parameters. When I run it, it fails on the following code:
ssm = boto3.client('ssm', region_name='us-east-1')
def get_ssm_parameter(name: str, with_decryption=False) -> str:
try:
response = ssm.get_parameter(
Name=name,
WithDecryption=with_decryption)
parameter = response['Parameter']['Value']
except ClientError as error:
print(error.response['Error']['Code'])
raise
return parameter
I have an IAM role for ecs task which has the following policies:
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": [
"arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_PWD",
"arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_USERNAME"
]
}
]
}
I believe that boto3 cannot find aws credentials and that is why it raises the error. I also tried to attach AmazonSSMFullAccess policy to the ecs role but it still gives the same error. Can't seems to understand why. I dun't want to hard code the credentials in the code and looking a way to use IAM role to gives access to Parameter store.
Update:
I added the secrets in task definition like this:
"secrets": [
{
"valueFrom": "arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_USERNAME",
"name": "MONGODB_USERNAME"
},
{
"valueFrom": "arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_PWD",
"name": "MONGODB_PWD"
}
I also added the following policy to my ecs role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": [
"arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_PWD",
"arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_USERNAME"
]
}
]
}
Now I am getting a different error:
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::633157335118:assumed-role/ecsTaskExecutionRole/9620073221dc4c118ee500f2834898ce is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_USERNAME
1 answers
solution1
0 2021-06-10 17:18:17
I was able to resolve after attaching AmazonSSMFullAccess Policy to ecs role
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.