Reputation: 1447
botocore.exceptions.NoCredentialsError: Unable to locate credentials in AWS ECS
I have a docker container running in aws fargate. It needs to access parameter store to fetch some parameters. When I run it, it fails on the following code:
ssm = boto3.client('ssm', region_name='us-east-1')
def get_ssm_parameter(name: str, with_decryption=False) -> str:
try:
response = ssm.get_parameter(
Name=name,
WithDecryption=with_decryption)
parameter = response['Parameter']['Value']
except ClientError as error:
print(error.response['Error']['Code'])
raise
return parameter
I have an IAM role for ecs task which has the following policies:
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": [
"arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_PWD",
"arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_USERNAME"
]
}
]
}
I believe that boto3 cannot find aws credentials and that is why it raises the error. I also tried to attach AmazonSSMFullAccess policy to the ecs role but it still gives the same error. Can't seems to understand why. I dun't want to hard code the credentials in the code and looking a way to use IAM role to gives access to Parameter store.
Update:
I added the secrets in task definition like this:
"secrets": [
{
"valueFrom": "arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_USERNAME",
"name": "MONGODB_USERNAME"
},
{
"valueFrom": "arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_PWD",
"name": "MONGODB_PWD"
}
I also added the following policy to my ecs role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": [
"arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_PWD",
"arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_USERNAME"
]
}
]
}
Now I am getting a different error:
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::633157335118:assumed-role/ecsTaskExecutionRole/9620073221dc4c118ee500f2834898ce is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:633157335118:parameter/MONGODB_USERNAME
Upvotes: 1
Views: 4451
Answers (1)
Reputation: 1447
I was able to resolve after attaching AmazonSSMFullAccess Policy to ecs role
Upvotes: 0
Related Questions
- botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation
- botocore.exceptions.ProfileNotFound - Pass AWS credentials to docker image
- botocore.exceptions.ClientError: InvalidClientTokenId
- botocore.exceptions.NoCredentialsError: Unable to locate credentials - Github Actions
- Botocore fails to read credentials when run as daemon.service
- connect to aws using boto - credentials error
- How to solve botocore.exceptions.NoCredentialsError: Unable to locate credentials
- Boto3 Error in AWS SDK: botocore.exceptions.NoCredentialsError: Unable to locate credentials
- Working boto3 script now failing with botocore.exceptions.ClientError UnauthorizedOperation
- botocore.exceptions.NoCredentialsError: Unable to locate credentials