I have a particular situation with Ecs Fargate, the problems is that the task can not pull secrets but everything looks good
I have created a new vpc 3 public subnets with IG and natGateway. 3 private subnets with the local route and a 0.0.0.0 route pointing to natGateway. I also opened all port and IP communication at SG just for testing. Task execution role were granted will all privileges like Admin (just for some minutes ) I check acl and there was nothing wire .
Having say that , vpc endpoints would not be necessary. If i run the task without parameter stores references (1.4) it works but if I add references to parameter store in the task environment variables it starts to fail.
After that I made another test using vpce, I created SSM, secret manager,S3,dkr and ecr.api. Dns are also enabled at vpc level , so I should work but is not .
Also I built an additional ec2 instance and I put it in a private subnet with no public IP. I connected to that using another bastion I made several request to external websites and it worked, so I can assume that the communication with private subnet AND nat would not be an issue. i have already configured AWS accounts on that way and it worked.
Later I ran the task in public subnet with public IP with the same result , I also run a new task in the default subnet with public IP , but nothing change.
So at this point I have no clue about where the problem can be any help will be much appreciated
The account is part of federated account
Thanks for reading
@marcin thanks for your answer , but yes I added first all individual permission and finally I added admin rights but the problem was really ridiculous and I found the mistake. Hope it helps , when I had to add the Arn of valueFrom i just typed it i did not copy it from the cli Json query and I made a mistake typing the zone. I set us-east1 instead of us-east-1. When you type a wrong variable name , the task message shows you that explicitly saying that it does not exist , but in my case looks like it got stuck trying to find the endpoint without advise that it does not exist .
Thanks to everyone