Hello, I am trying to setup a prefect agent into AWS ECS task... it worked, but inside the python scripts this prefect agent is running, I am instancing a boto3 to talk to our SSM Parameters but I am getting an "AccessDenied" Error. It must be related to policies, but I have a hard time solving that issue (editing policies, editing roles... etc and still getting the same thing)

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::999999999999:assumed-role/MyRole-dev/12345459ba45458183ed3d1aa5112341 is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:region:999999999999:parameter/XXX/value because no identity-based policy allows the ssm:GetParameter action

What is your suggestion here, or a possible solution for this?

Yeah roles is always hard man. What roles are you attaching to ECSRun?

what do you mean? These?

executionRoleArn
taskRoleArn

Yeah do you have both specified? It should be those with the permissions

yes, I have them filled with roles, and both roles are configured to get SSM parameters 😕

I guess that means the boto client you are creating might not be using those credentials? Or does the log say it is? The log shows the right role?

yup, the log says it is the right role... but it is kind of attached to a ECS user, which seems to be only existing inside ecs

If you mean hardcoding, we shouldn’t have to get to that. Prefect Secrets might be a lot easier to use before you have to do that

not hardcoded. Set them as SSM parameters and built them as secrets in the container

That may work yeah

Thanks. I think I got tired of seeing what to change in the policies 😕

I know. Those are always very painful