Amazon ECS - Permission denied when using IAM role on Docker entrypoint
You can now easily inject secrets from SSM or Secrets Manager using the secrets
in the containerDefinitions
of a task definition. With this solution, you don't have to run/manage your custom scripts to fetch your secrets anymore.
It looks like this:
{ "containerDefinitions": [{ "secrets": [{ "name": "environment_variable_name", "valueFrom": "arn:aws:secretsmanager:region:aws_account_id:secret:secret_name-AbCdEf" }] }]}
{ "containerDefinitions": [{ "secrets": [{ "name": "environment_variable_name", "valueFrom": "arn:aws:ssm:region:aws_account_id:parameter/parameter_name" }] }]}
Have a look at AWS Launches Secrets Support for Amazon Elastic Container Service and Specifying Sensitive Data.
You must have a task execution role and reference it in your task definition. Example policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ssm:GetParameters", "secretsmanager:GetSecretValue", "kms:Decrypt" ], "Resource": [ "arn:aws:ssm:<region>:<aws_account_id>:parameter/parameter_name", "arn:aws:secretsmanager:<region>:<aws_account_id>:secret:secret_name", "arn:aws:kms:<region>:<aws_account_id>:key/key_id" ] } ]}
More info in Required IAM Permissions for Amazon ECS Secrets.