Search code examples
parametersamazon-ecsstoreaws-ssmaws-fargate

Federsted account AWS ECS Fargate Task cannot pull secrets from SSM

I have a particular situation with Ecs Fargate, the problems is that the task can not pull secrets but everything looks good

I have created a new vpc 3 public subnets with IG and natGateway. 3 private subnets with the local route and a 0.0.0.0 route pointing to natGateway. I also opened all port and IP communication at SG just for testing. Task execution role were granted will all privileges like Admin (just for some minutes ) I check acl and there was nothing wire .

Having say that , vpc endpoints would not be necessary. If i run the task without parameter stores references (1.4) it works but if I add references to parameter store in the task environment variables it starts to fail.

After that I made another test using vpce, I created SSM, secret manager,S3,dkr and ecr.api. Dns are also enabled at vpc level , so I should work but is not .

Also I built an additional ec2 instance and I put it in a private subnet with no public IP. I connected to that using another bastion I made several request to external websites and it worked, so I can assume that the communication with private subnet AND nat would not be an issue. i have already configured AWS accounts on that way and it worked.

Later I ran the task in public subnet with public IP with the same result , I also run a new task in the default subnet with public IP , but nothing change.

So at this point I have no clue about where the problem can be any help will be much appreciated

The account is part of federated account

Thanks for reading

Solution

  • @marcin thanks for your answer , but yes I added first all individual permission and finally I added admin rights but the problem was really ridiculous and I found the mistake. Hope it helps , when I had to add the Arn of valueFrom i just typed it i did not copy it from the cli Json query and I made a mistake typing the zone. I set us-east1 instead of us-east-1. When you type a wrong variable name , the task message shows you that explicitly saying that it does not exist , but in my case looks like it got stuck trying to find the endpoint without advise that it does not exist .

    Thanks to everyone