I am able to run ECS tasks and access secrets from Secrets Manager to pass as environment variables to my container. I am attempting to do the same thing with my AWS Batch job definition.
- I am using the same ecsTaskExecutionRole on both ECS and Batch, so I know the permissions are good for accessing the desired secret because it works on ECS. I triple checked the permissions per https://docs.aws.amazon.com/batch/latest/userguide/execution-IAM-role.html
- I am almost certain it's not a networking issue, as I'm running the job with a public IP and in a public subnet of my VPC (the same VPC subnet that I have ECS tasks successfully fetching secrets in)
- When attempting to run a job, I get the following error:
"statusReason": "ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secrets from ssm: service call has been retried 1 time(s): AccessDeniedException: User: arn:aws:sts::XXXXXXXX:assumed-role..."
- If I remove the secrets from the job definition the container will pull from the registry.
Both the AWS Web Console and CLI have the truncated statusReason error, which is frustrating because there may be useful info there.
AWS 官方已更新 1 年前