Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

NoCredentialsError on attempted write to SQS from ECS (Fargate)

0

I have been struggling for hours to push a message to SQS from a running ECS container. I have done the following:

  • Added all available SQS policies to ECS task execution role
  • Added access policy to SQS giving full rights to ECS task execution role
  • Added VPC endpoint allowing everything and anything

Yet when my container application attempts to post a message to a queue (tested and working) boto3 raises NoCredentialsError. From what I read, setting up IAM roles should resolve this but it is not working for me. I have given overly broad access in all of these cases in an attempt to just get something to work. Are there any other steps I need to take to allow my ECS container to interact with SQS?

Here are the configurations as mentioned above:

IAM policy attached to ecsTaskExecutionRole:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sqs:DeleteMessage",
                "sqs:GetQueueUrl",
                "sqs:ChangeMessageVisibility",
                "sqs:ReceiveMessage",
                "sqs:SendMessage",
                "sqs:GetQueueAttributes",
                "sqs:ListQueueTags",
                "sqs:ListDeadLetterSourceQueues",
                "sqs:PurgeQueue",
                "sqs:DeleteQueue",
                "sqs:CreateQueue",
                "sqs:SetQueueAttributes"
            ],
            "Resource": "arn:aws:sqs:*:<account>:*"
        }
    ]
}

SQS access policy (NOTE: initially tried setting service instead of principal):

{
  "Version": "2012-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__owner_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<account>:role/ecsTaskExecutionRole"
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:us-east-1:<account>:messages"
    }
  ]
}

VPC Endpoint Policy:

{
	"Statement": [
		{
			"Action": "*",
			"Effect": "Allow",
			"Principal": "*",
			"Resource": "*"
		}
	]
}

The VPC endpoint is attached to the all subnets in the VPC (I only have one in the account).

Why am I still getting NoCredentialsError in ECS when attempting to write to the queue? Is this even possible?

Topics
Application IntegrationServerlessSecurity, Identity, & ComplianceContainers
Tags
AWS FargateAWS Identity and Access ManagementIAM PoliciesAmazon Simple Queue Service
Language
English
asked 3 years ago972 views
1 Answer
1
Accepted Answer

I believe the IAM role used by containers running on ECS is a task role, not a task execution role.
The Task Execution role is an IAM role used by ECS to pull container images from ECRs and other sources.
The task role is an IAM role used by ECS containers to use other AWS services, so if the task role is not set, a "NoCredentialsError" will occur.
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html

Is the task roll set?

EXPERT
answered 3 years ago
EXPERT
reviewed 3 years ago
EXPERT
reviewed 3 years ago
  • rePost-User-0434982
    3 years ago

    You are absolutely right. I stumbled upon a similar answer somewhere else and was just about to come back and answer my own question. I think I think I knew this at some point so a bit ta of a face-palm for me. Thanks and hopefully this helps someone else.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content