Reputation: 31
【AWS SDK PHP】Unable to access SecretsManager from ECS by IAM role
I have a php application running on ECS Fargate 1.14. aws-sdk-php version is 3.
I want to get secret value stored in AWS SecretsManager by IAM Role, not by AWS Access key/ID for a security reason. I set SecretsManagerClient like this.
$config = [
'version' => '2017-10-17',
'region' => 'ap-northeast-1',
];
return new SecretsManagerClient($config);
I didn’t add ‘credentials’ because I want to access SecretsManager by IAM role.
The “Task Role” (not Task Execution Role) of my container has policy “SecretsManagerReadWrite”.
However, I can’t access SecretsManager with this error.
Error: [Aws\Exception\CredentialsException] Error retrieving credentials from the instance profile metadata service. (cURL error 7: (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)) in /share/swell/cgi-bin/vendor/aws/aws-sdk-php/src/Credentials/InstanceProfileProvider.php on line 240
What does this message means?
I know AWSClient looks for credentials in a order below:
1 Load credentials from environment variables.
2 Load credentials from a credentials .ini file.
3 Load credentials from an IAM role.
Doesn't this situation apply to No.3?
Or am I attaching the wrong policy?
Add info on 2021/06/18
I changed the policy attached to ECS Task Role to "PowerUserAccess". The error message changed to 404.
2021-06-18 01:52:12 Error: [Aws\Exception\CredentialsException] Error retrieving credentials from the instance profile metadata service. (Client error: `GET http://169.254.169.254/latest/meta-data/iam/security-credentials/` resulted in a `404 Not Found` response:
Upvotes: 2
Views: 1359
Answers (1)
Reputation: 31
It was because EC2 and ECS have different locations for obtaining credentials information.
- EC2
http://169.254.169.254/latest/meta-data/iam/security-credentials/
- ECS
http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
I had to set environment variable "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" to my web app container. I added this line to my Dockerfile and now I’m able to access SecretsManager.
RUN echo 'export $(strings /proc/1/environ | grep AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)' >> /etc/bashrc
https://forums.aws.amazon.com/thread.jspa?threadID=273767
Upvotes: 1
Related Questions
- Unable to retrieve secret from secretsmanager on aws-ec2 using an IAM role
- Client XYZ is configured for secret but secret was not received
- AWS SDK is throwing SdkClientException
- AWS SDK PHP - Cannot read credentials from /.aws/credentials
- AWS: How to get PHP on an EC2 instance to read a Secrets Manager secret?
- AWS PHP SDK Credentials error S
- Get AWS IAM credentials from PHP SDK
- Issue using an IAM role with PHP SDK
- PHP SDK Cannot get AWS Credentials on EC2 Instance with IAM Role attached
- Unable to get aws credentials from IAM role