Docker-compose to ECS,

0

I faced a problem with Secrets deploying docker-compose.yml to ECS. I don't understand why.

The policy by itself seems working, but it doesn't work here.

ERROR TEXT

HasuraService TaskFailedToStart: ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secret from asm: service call has been retried 1 time(s): failed to fetch secret *[HERE WAS ARN]/username* from secrets manager: AccessDeniedException: User: arn:aws:sts::925578195865:assumed-role/gochi-HasuraTaskExecutionRole-17C7ELVZK3HX2/50f19aa9ec5f44e6ae7b95ded3bb4a3f is not authorized to perform: secretsmanager:GetSecretValue on resource: *[HERE WAS ARN]/username* because no identity-based policy allows the secretsmanager:GetSecretValue action status code: 400, request id: ab2d966b-9e00-433a-89d3-804b52dfe39f

DOCKER-COMPOSE.YML

version: '3.9'
x-aws-vpc: [VPC-HERE]
x-aws-load-balancer: [LOAD-BALANCER-HERE]

services:
  hasura:
    image: hasura/graphql-engine:latest
    ports:
      - '8080:8080'
    environment:
      HASURA_GRAPHQL_DATABASE_URL: postgres://${RDS_USERNAME}:${RDS_PASSWORD}@*[RDS_URL_HERE]*:5432/gochi
      HASURA_GRAPHQL_ENABLE_CONSOLE: true
      HASURA_GRAPHQL_ADMIN_SECRET: ${HASURA_PASSWORD}
    secrets:
      - RDS_USERNAME
      - RDS_PASSWORD
      - HASURA_PASSWORD
    x-aws-policies:
      - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
      - arn:aws:iam::925578195865:policy/GochiHasuraTaskExecution

secrets:

  RDS_USERNAME:
    name:  *[HERE WAS ARN]/username*
    external: true
  RDS_PASSWORD:
    name:  *[HERE WAS ARN]/password*
    external: true
  HASURA_PASSWORD:
    name:  *[HERE WAS ARN]/password*
    external: true

arn:aws:iam::925578195865:policy/GochiHasuraTaskExecution

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": [
                *[HERE WAS ARN]/username*,
                *[HERE WAS ARN]/password*,
                *[HERE WAS ARN]/password*,
                *[HERE WAS ARN]*,
                *[HERE WAS ARN]*,
            ]
        }
    ]
}

CLODUD FORMATION CONFIG

AWSTemplateFormatVersion: 2010-09-09
Resources:
  CloudMap:
    Properties:
      Description: Service Map for Docker Compose project gochi
      Name: gochi.local
      Vpc: vpc-00ba3cc7fea7e3a72
    Type: AWS::ServiceDiscovery::PrivateDnsNamespace
  Cluster:
    Properties:
      ClusterName: gochi
      Tags:
      - Key: com.docker.compose.project
        Value: gochi
    Type: AWS::ECS::Cluster
  Default8080Ingress:
    Properties:
      CidrIp: 0.0.0.0/0
      Description: hasura:8080/tcp on default network
      FromPort: 8080
      GroupId:
        Ref: DefaultNetwork
      IpProtocol: TCP
      ToPort: 8080
    Type: AWS::EC2::SecurityGroupIngress
  DefaultNetwork:
    Properties:
      GroupDescription: gochi Security Group for default network
      Tags:
      - Key: com.docker.compose.project
        Value: gochi
      - Key: com.docker.compose.network
        Value: gochi_default
      VpcId: vpc-00ba3cc7fea7e3a72
    Type: AWS::EC2::SecurityGroup
  DefaultNetworkIngress:
    Properties:
      Description: Allow communication within network default
      GroupId:
        Ref: DefaultNetwork
      IpProtocol: "-1"
      SourceSecurityGroupId:
        Ref: DefaultNetwork
    Type: AWS::EC2::SecurityGroupIngress
  HasuraService:
    DependsOn:
    - HasuraTCP8080Listener
    Properties:
      Cluster:
        Fn::GetAtt:
        - Cluster
        - Arn
      DeploymentConfiguration:
        MaximumPercent: 200
        MinimumHealthyPercent: 100
      DeploymentController:
        Type: ECS
      DesiredCount: 1
      LaunchType: FARGATE
      LoadBalancers:
      - ContainerName: hasura
        ContainerPort: 8080
        TargetGroupArn:
          Ref: HasuraTCP8080TargetGroup
      NetworkConfiguration:
        AwsvpcConfiguration:
          AssignPublicIp: ENABLED
          SecurityGroups:
          - Ref: DefaultNetwork
          Subnets:
          - subnet-0cde4d8ffd50e8f32
          - subnet-0e11aed9fd537388d
          - subnet-00e18e2b59a78ac21
      PlatformVersion: 1.4.0
      PropagateTags: SERVICE
      SchedulingStrategy: REPLICA
      ServiceRegistries:
      - RegistryArn:
          Fn::GetAtt:
          - HasuraServiceDiscoveryEntry
          - Arn
      Tags:
      - Key: com.docker.compose.project
        Value: gochi
      - Key: com.docker.compose.service
        Value: hasura
      TaskDefinition:
        Ref: HasuraTaskDefinition
    Type: AWS::ECS::Service
  HasuraServiceDiscoveryEntry:
    Properties:
      Description: '"hasura" service discovery entry in Cloud Map'
      DnsConfig:
        DnsRecords:
        - TTL: 60
          Type: A
        RoutingPolicy: MULTIVALUE
      HealthCheckCustomConfig:
        FailureThreshold: 1
      Name: hasura
      NamespaceId:
        Ref: CloudMap
    Type: AWS::ServiceDiscovery::Service
  HasuraTCP8080Listener:
    Properties:
      DefaultActions:
      - ForwardConfig:
          TargetGroups:
          - TargetGroupArn:
              Ref: HasuraTCP8080TargetGroup
        Type: forward
      LoadBalancerArn:
        Ref: LoadBalancer
      Port: 8080
      Protocol: TCP
    Type: AWS::ElasticLoadBalancingV2::Listener
  HasuraTCP8080TargetGroup:
    Properties:
      Port: 8080
      Protocol: TCP
      Tags:
      - Key: com.docker.compose.project
        Value: gochi
      TargetType: ip
      VpcId: vpc-00ba3cc7fea7e3a72
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
  HasuraTaskDefinition:
    Properties:
      ContainerDefinitions:
      - Command:
        - '[{"Name":"RDS_USERNAME","Keys":null},{"Name":"RDS_PASSWORD","Keys":null},{"Name":"HASURA_PASSWORD","Keys":null}]'
        Essential: false
        Image: docker/ecs-secrets-sidecar:1.0
        LogConfiguration:
          LogDriver: awslogs
          Options:
            awslogs-group:
              Ref: LogGroup
            awslogs-region:
              Ref: AWS::Region
            awslogs-stream-prefix: gochi
        MountPoints:
        - ContainerPath: /run/secrets/
          SourceVolume: secrets
        Name: Hasura_Secrets_InitContainer
        Secrets:
        - Name: RDS_USERNAME
          ValueFrom: [HERE WAS ARN]
        - Name: RDS_PASSWORD
          ValueFrom: [HERE WAS ARN]
        - Name: HASURA_PASSWORD
          ValueFrom: [HERE WAS ARN]
      - Command:
        - eu-central-1.compute.internal
        - gochi.local
        Essential: false
        Image: docker/ecs-searchdomain-sidecar:1.0
        LogConfiguration:
          LogDriver: awslogs
          Options:
            awslogs-group:
              Ref: LogGroup
            awslogs-region:
              Ref: AWS::Region
            awslogs-stream-prefix: gochi
        Name: Hasura_ResolvConf_InitContainer
      - DependsOn:
        - Condition: SUCCESS
          ContainerName: Hasura_Secrets_InitContainer
        - Condition: SUCCESS
          ContainerName: Hasura_ResolvConf_InitContainer
        Environment:
        - Name: HASURA_GRAPHQL_ADMIN_SECRET
          Value: three
        - Name: HASURA_GRAPHQL_DATABASE_URL
          Value: [SOME ENV VARS]
        - Name: HASURA_GRAPHQL_ENABLE_CONSOLE
          Value: "true"
        Essential: true
        Image: docker.io/hasura/graphql-engine:latest@sha256:5f10837a829cbc70f87fffb9168003026343ed1c6c8a0a69104642637a21076e
        LinuxParameters: {}
        LogConfiguration:
          LogDriver: awslogs
          Options:
            awslogs-group:
              Ref: LogGroup
            awslogs-region:
              Ref: AWS::Region
            awslogs-stream-prefix: gochi
        MountPoints:
        - ContainerPath: /run/secrets/
          ReadOnly: true
          SourceVolume: secrets
        Name: hasura
        PortMappings:
        - ContainerPort: 8080
          HostPort: 8080
          Protocol: tcp
      Cpu: "256"
      ExecutionRoleArn:
        Ref: HasuraTaskExecutionRole
      Family: gochi-hasura
      Memory: "512"
      NetworkMode: awsvpc
      RequiresCompatibilities:
      - FARGATE
      TaskRoleArn:
        Ref: HasuraTaskRole
      Volumes:
      - Name: secrets
    Type: AWS::ECS::TaskDefinition
  HasuraTaskExecutionRole:
    Properties:
      AssumeRolePolicyDocument:
        Statement:
        - Action:
          - sts:AssumeRole
          Condition: {}
          Effect: Allow
          Principal:
            Service: ecs-tasks.amazonaws.com
        Version: 2012-10-17
      ManagedPolicyArns:
      - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
      - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
      Policies:
      - PolicyDocument:
          Statement:
          - Action:
            - secretsmanager:GetSecretValue
            - ssm:GetParameters
            - kms:Decrypt
            Condition: {}
            Effect: Allow
            Principal: {}
            Resource:
            - [ARN1]/username
            - [ARN1]/password
            - [ARN2]/password
        PolicyName: hasuraGrantAccessToSecrets
      Tags:
      - Key: com.docker.compose.project
        Value: gochi
      - Key: com.docker.compose.service
        Value: hasura
    Type: AWS::IAM::Role
  HasuraTaskRole:
    Properties:
      AssumeRolePolicyDocument:
        Statement:
        - Action:
          - sts:AssumeRole
          Condition: {}
          Effect: Allow
          Principal:
            Service: ecs-tasks.amazonaws.com
        Version: 2012-10-17
      ManagedPolicyArns:
      - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy
      - arn:aws:iam::925578195865:policy/GochiHasuraTaskExecution
      Tags:
      - Key: com.docker.compose.project
        Value: gochi
      - Key: com.docker.compose.service
        Value: hasura
    Type: AWS::IAM::Role
  LoadBalancer:
    Properties:
      LoadBalancerAttributes:
      - Key: load_balancing.cross_zone.enabled
        Value: "true"
      Scheme: internet-facing
      Subnets:
      - subnet-0cde4d8ffd50e8f32
      - subnet-0e11aed9fd537388d
      - subnet-00e18e2b59a78ac21
      Tags:
      - Key: com.docker.compose.project
        Value: gochi
      Type: network
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
  LogGroup:
    Properties:
      LogGroupName: /docker-compose/gochi
    Type: AWS::Logs::LogGroup

1 Answer
0

In HasuraTaskDefinition I think you need this.

      ExecutionRoleArn:
        Fn::GetAtt: 
          - HasuraTaskExecutionRole
          - Arn

Ref for an AWS::IAM::Role returns the resource name and not the ARN. [src]

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions