botocore.exceptions.NoCredentialsError: Unable to locate credentials in AWS ECS

I have a docker container running in aws fargate. It needs to access parameter store to fetch some parameters. When I run it, it fails on the following code:

ssm = boto3.client('ssm', region_name='us-east-1') def get_ssm_parameter(name: str, with_decryption=False) -> str: try: response = ssm.get_parameter( Name=name, WithDecryption=with_decryption) parameter = response['Parameter']['Value'] except ClientError as error: print(error.response['Error']['Code']) raise return parameter 

I have an IAM role for ecs task which has the following policies:

"Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] 

}

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetParameters" ], "Resource": [ "arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_PWD", "arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_USERNAME" ] } ] } 

I believe that boto3 cannot find aws credentials and that is why it raises the error. I also tried to attach AmazonSSMFullAccess policy to the ecs role but it still gives the same error. Can't seems to understand why. I dun't want to hard code the credentials in the code and looking a way to use IAM role to gives access to Parameter store.

Update:

I added the secrets in task definition like this:

 "secrets": [ { "valueFrom": "arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_USERNAME", "name": "MONGODB_USERNAME" }, { "valueFrom": "arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_PWD", "name": "MONGODB_PWD" } 

I also added the following policy to my ecs role:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetParameters" ], "Resource": [ "arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_PWD", "arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_USERNAME" ] } ] } 

Now I am getting a different error:

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::633157335118:assumed-role/ecsTaskExecutionRole/9620073221dc4c118ee500f2834898ce is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_USERNAME 

1 Answer

I was able to resolve after attaching AmazonSSMFullAccess Policy to ecs role

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like