AWS Batch on Fargate: AccessDenied trying to access secrets manager

0

I am able to run ECS tasks and access secrets from Secrets Manager to pass as environment variables to my container. I am attempting to do the same thing with my AWS Batch job definition.

  1. I am using the same ecsTaskExecutionRole on both ECS and Batch, so I know the permissions are good for accessing the desired secret because it works on ECS. I triple checked the permissions per https://docs.aws.amazon.com/batch/latest/userguide/execution-IAM-role.html
  2. I am almost certain it's not a networking issue, as I'm running the job with a public IP and in a public subnet of my VPC (the same VPC subnet that I have ECS tasks successfully fetching secrets in)
  3. When attempting to run a job, I get the following error:
    "statusReason": "ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secrets from ssm: service call has been retried 1 time(s): AccessDeniedException: User: arn:aws:sts::XXXXXXXX:assumed-role..."
  4. If I remove the secrets from the job definition the container will pull from the registry.

Both the AWS Web Console and CLI have the truncated statusReason error, which is frustrating because there may be useful info there.

dirkh
asked 3 years ago635 views
1 Answer
1

Turns out I had an invalid "ValueFrom" value on a secret, and the error message would presumably have pointed to the invalid secret if the error message was not truncated. Would be nice if the ARNs were validated in the job definition.

dirkh
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions