We have a reader that reads messages from an SQS Queue. Locally it works, however when we deploy to ECS, we recieve an exception:
Access to the resource [queue-url] is denied.
We can access the queue locally, i.e. when we initialize the client with a Profile through CredentialProfileStoreChain. We have also double and triple checked all policies and permissions - all the resources have the needed access to one another (i.e. ECS -> read/write/delete SQS).
I believe I'm not initializing the AmazonSQSClient properly, but I have followed all documentation, and tried various options.
Code below:
My SqsClientFactory (which an AmazonSQSClient):
public static AmazonSQSClient CreateClient(AppSettings appSettings)
{
var sqsConfig = new AmazonSQSConfig()
{
RegionEndpoint = RegionEndpoint.GetBySystemName(appSettings.Region)
};
//For testing on the local machine - this works
if(!String.IsNullOrEmpty(appSettings.AwsProfile))
{
var credentialProfileStoreChain = new CredentialProfileStoreChain();
AWSCredentials credentials;
credentialProfileStoreChain.TryGetAWSCredentials(appSettings.Aws.Profile, out credentials);
return new AmazonSQSClient(credentials, sqsConfig);
}
//For deployed versions
return new AmazonSQSClient(RegionEndpoint.GetBySystemName(appSettings.Region));
//Also tried:
//return new AmazonSQSClient(sqsConfig));
//return new AmazonSQSClient();
}
Am I missing something regarding initializing an AmazongSQSClient properly?
Found the solution, and of course it was somewthing astoundingly stupid. Someone had checked in a appsettings.json file with the profile value not being empty, ie "profile: #aws_profile#". It was left over from when these settings were to be injected during the pipeline execution, before we opted for the Parameter store.
That means that this part:
if(!String.IsNullOrEmpty(appSettings.AwsProfile))
was true, and never reached the proper code.