Amazon ECS - Permission denied when using IAM role on Docker entrypoint

You can now easily inject secrets from SSM or Secrets Manager using the secrets in the containerDefinitions of a task definition. With this solution, you don't have to run/manage your custom scripts to fetch your secrets anymore.

It looks like this:

{    "containerDefinitions": [{        "secrets": [{            "name": "environment_variable_name",            "valueFrom": "arn:aws:secretsmanager:region:aws_account_id:secret:secret_name-AbCdEf"        }]    }]}

{    "containerDefinitions": [{        "secrets": [{            "name": "environment_variable_name",            "valueFrom": "arn:aws:ssm:region:aws_account_id:parameter/parameter_name"        }]    }]}

Have a look at AWS Launches Secrets Support for Amazon Elastic Container Service and Specifying Sensitive Data.

You must have a task execution role and reference it in your task definition. Example policy:

{  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": [        "ssm:GetParameters",        "secretsmanager:GetSecretValue",        "kms:Decrypt"      ],      "Resource": [        "arn:aws:ssm:<region>:<aws_account_id>:parameter/parameter_name",        "arn:aws:secretsmanager:<region>:<aws_account_id>:secret:secret_name",        "arn:aws:kms:<region>:<aws_account_id>:key/key_id"      ]    }  ]}

More info in Required IAM Permissions for Amazon ECS Secrets.