I'm executing the ECS task within the private subnets alongside the NAT gateway, but I'm encountering an error when attempting to retrieve values from the Secret Manager
0
I'm executing the ECS task within the private subnets alongside the NAT gateway. However, I encountered a 'Secret Manager retrieve value failed' error after creating the endpoint from ECS to Secret Manager, which resolved the issue. Surprisingly, when opting for the public subnet, the role alone suffices. My query pertains to why the ECS in the private subnet requires an endpoint connection to Secret Manager.
Yes, If i using the custom policy in the ecs task-definition I getting the "ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secret from asm: service call has been retried 1 time(s): failed to fetch secret arn:aws:secretsmanager:us-east-2:117416794335:secret:SubscriptionApp/Stage/ENV-Credentials-3sS4z9 from secrets manager: AccessDeniedException: User: arn:aws:sts::117234594535:assumed-role/ecsTaskExecutionRole/0fdf743dd51140d2ac90866333e52bdc is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-2:117416794335:secret:SubscriptionApp/1/env-Credentials-3sS4z9 because no identity-based policy allows the secretsmanager:GetSecretValue action status code: 400, request id: 1146aef6-1521-47a7-9644-0faabba028b1"
The private subnets also have a nat gateway
What Subnet is the Nat Gateway on?
Yes, If i using the custom policy in the ecs task-definition I getting the "ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secret from asm: service call has been retried 1 time(s): failed to fetch secret arn:aws:secretsmanager:us-east-2:117416794335:secret:SubscriptionApp/Stage/ENV-Credentials-3sS4z9 from secrets manager: AccessDeniedException: User: arn:aws:sts::117234594535:assumed-role/ecsTaskExecutionRole/0fdf743dd51140d2ac90866333e52bdc is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-2:117416794335:secret:SubscriptionApp/1/env-Credentials-3sS4z9 because no identity-based policy allows the secretsmanager:GetSecretValue action status code: 400, request id: 1146aef6-1521-47a7-9644-0faabba028b1"
Thanks for your error message.. Looks like a Policy issue then?