AWS Batch on Fargate: AccessDenied trying to access secrets manager

0

I am able to run ECS tasks and access secrets from Secrets Manager to pass as environment variables to my container. I am attempting to do the same thing with my AWS Batch job definition.

  1. I am using the same ecsTaskExecutionRole on both ECS and Batch, so I know the permissions are good for accessing the desired secret because it works on ECS. I triple checked the permissions per https://docs.aws.amazon.com/batch/latest/userguide/execution-IAM-role.html
  2. I am almost certain it's not a networking issue, as I'm running the job with a public IP and in a public subnet of my VPC (the same VPC subnet that I have ECS tasks successfully fetching secrets in)
  3. When attempting to run a job, I get the following error:
    "statusReason": "ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secrets from ssm: service call has been retried 1 time(s): AccessDeniedException: User: arn:aws:sts::XXXXXXXX:assumed-role..."
  4. If I remove the secrets from the job definition the container will pull from the registry.

Both the AWS Web Console and CLI have the truncated statusReason error, which is frustrating because there may be useful info there.

dirkh
質問済み 3年前652ビュー
1回答
1

Turns out I had an invalid "ValueFrom" value on a secret, and the error message would presumably have pointed to the invalid secret if the error message was not truncated. Would be nice if the ARNs were validated in the job definition.

dirkh
回答済み 3年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ