I have ECS service with fargate which has two container
I have IAM role arn:aws:iam::468589876897:role/app/my-test-app, this role is added to my ecs task_role and execution_role
Also I have a secret with path /myapp/secret/key_1-zbv0eq which has permission something like below
"Effect":"Deny",
"action" : "secretsmanager:getsecretvalue", "resource" : "*", "condition" : { "arnnotlike" : { "aws:principalarn" : [ "arn:aws:iam::468589876897:role/app/my-test-app" ] } } }
and I have below code to read my secret manager
String secretName = "/myapp/secret/key_1-zbv0eq";
String endpoint = "secretsmanager.us-west-2.amazonaws.com";
String region = "us-west-2";
AwsClientBuilder.EndpointConfiguration config = new AwsClientBuilder.EndpointConfiguration(endpoint, region);
AWSSecretsManagerClientBuilder clientBuilder = AWSSecretsManagerClientBuilder.standard();
clientBuilder.setEndpointConfiguration(config);
AWSSecretsManager client = clientBuilder.build();
String secret;
ByteBuffer binarySecretData;
GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest()
.withSecretId(secretName).withVersionStage("AWSCURRENT");
GetSecretValueResult getSecretValueResult = null;
try {
getSecretValueResult = client.getSecretValue(getSecretValueRequest);
} catch(ResourceNotFoundException e) {
System.out.println("The requested secret " + secretName + " was not found");
} catch (InvalidRequestException e) {
System.out.println("The request was invalid due to: " + e.getMessage());
} catch (InvalidParameterException e) {
System.out.println("The request had invalid params: " + e.getMessage());
}
// Depending on whether the secret was a string or binary, one of these fields will be populated
if(getSecretValueResult.getSecretString() != null) {
secret = getSecretValueResult.getSecretString();
System.out.println(secret);
}
else {
binarySecretData = getSecretValueResult.getSecretBinary();
System.out.println(binarySecretData.toString());
}
}
when I run this code I am getting below error,
user: arn:aws:sts::468589876897:assumed-role/my-test-app/41810bc3cf2b4c99ad87f641810bc3cf
is not authorized to perform: secretsmanager:getsecretvalue on resource:
/myapp/secret/key_1-zbv0eq (service: awssecretsmanager; status code: 400; error code: accessdeniedexception; request id: 8254cdd0-3ce4-4485-bcd8-8af4b08e6fa2
I am not sure how this role is used arn:aws:sts::468589876897:assumed-role/my-test-app/41810bc3cf2b4c99ad87f641810bc3cf instead of arn:aws:iam::468589876897:role/app/my-test-app
I double checked on AWS console, the ECS task having a task_iam_role and the execution role in container definition showing is arn:aws:iam::468589876897:role/app/my-test-app
What could be missing ?
In order to retrieve your credentials your environment must have access to aws secret manager. This is given through IAM Role, In the policy you are using "Deny" instead of "Allow". "Get secret value" method will return a json which will have all the credentials in a dictionary format. The error you are given says you do not have permission to you environment. I think changing your policy will do your work(change to "Allow" for get secret method, also allow other services access too if you are using any other or you can use secret manager read write AWS built in policy )