-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AccessDeniedException for containers trying to access SSM parameters #241
AccessDeniedException for containers trying to access SSM parameters #241
Comments
I've so far verified:
So now I'm wondering how we granted the original Role for SSM access (which I can't tell at first glance whether it's for accessing encrypted parameters or for any parameters) to ECS and/or to the tasks and/or to the containers: |
Digging a bit deeper, here's how it appears that ECS containers are getting access to SSM parameters:
I notice that in the above error, the "assumed-role" is named It appears by all intents that we've generated the Role and Policy by hand, one-off, and that they're hard-coded to the current So it looks like we'll have to add some Policy and Role creation logic into the CF templates to be able to map these to whatever we need for each new stack we create (staging, production, test). |
Update: tracing the problem, it appears that the root cause of our AccessDeniedException is this:
Question to consider: is it possible to inline the SSM policy? If yes, do we need to declare some variables somewhere in the stack templates to name the various resources being allowed in the policy? If not, how else can we anticipate and help someone else using these templates to make sure their own SSM parameter & key resources can be easily substituted for the ones that we currently have hard-coded in our |
Resolved by hackoregon/hackoregon-aws-infrastructure#66 |
hackoregon/hackoregon-aws-infrastructure#67 documents an enhancement to refactor the hard-coded SSM resources out of |
When deploying a fresh CloudFormation stack to test out the configuration of our services, I'm seeing that while the stack now successfully deploys, CloudWatch logs for the service containers are reporting that for any container attempting to read SSM parameters, they're getting this error for every call to
aws ssm get-parameters
:An error occurred (AccessDeniedException) when calling the GetParameters operation: User: arn:aws:sts::845828040396:assumed-role/miketesting20190527-ECSRole-us-west-2/i-081cc40f40abe42cd is not authorized to perform: ssm:GetParameters on resource: arn:aws:ssm:us-west-2:845828040396:parameter/production/2018/API/local-elections/POSTGRES_NAME
https://user-images.githubusercontent.com/6953053/58753129-a9695680-846f-11e9-9709-af7517e02789.png
Originally sub-reported here:
hackoregon/hackoregon-aws-infrastructure#63 (comment)
The text was updated successfully, but these errors were encountered: