https://prefect.io logo
Title
j

Javier Ochoa

06/23/2022, 6:48 PM
Hello, I am trying to setup a prefect agent into AWS ECS task... it worked, but inside the python scripts this prefect agent is running, I am instancing a boto3 to talk to our SSM Parameters but I am getting an "AccessDenied" Error. It must be related to policies, but I have a hard time solving that issue (editing policies, editing roles... etc and still getting the same thing)
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::999999999999:assumed-role/MyRole-dev/12345459ba45458183ed3d1aa5112341 is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:region:999999999999:parameter/XXX/value because no identity-based policy allows the ssm:GetParameter action
What is your suggestion here, or a possible solution for this?
k

Kevin Kho

06/23/2022, 7:02 PM
Yeah roles is always hard man. What roles are you attaching to ECSRun?
j

Javier Ochoa

06/23/2022, 7:08 PM
what do you mean? These?
executionRoleArn
taskRoleArn
k

Kevin Kho

06/23/2022, 7:09 PM
Yeah do you have both specified? It should be those with the permissions
j

Javier Ochoa

06/23/2022, 7:15 PM
yes, I have them filled with roles, and both roles are configured to get SSM parameters 😕
k

Kevin Kho

06/23/2022, 7:19 PM
I guess that means the boto client you are creating might not be using those credentials? Or does the log say it is? The log shows the right role?
j

Javier Ochoa

06/23/2022, 7:44 PM
yup, the log says it is the right role... but it is kind of attached to a ECS user, which seems to be only existing inside ecs
I was thinking maybe setup access keys for aws in SSM and pull them in container creation and then pass these to my python script and avoid the problem... but what is your opinion about it (regarding security)
k

Kevin Kho

06/23/2022, 7:47 PM
If you mean hardcoding, we shouldn’t have to get to that. Prefect Secrets might be a lot easier to use before you have to do that
j

Javier Ochoa

06/23/2022, 7:48 PM
not hardcoded. Set them as SSM parameters and built them as secrets in the container
k

Kevin Kho

06/23/2022, 7:52 PM
That may work yeah
j

Javier Ochoa

06/23/2022, 7:52 PM
Thanks. I think I got tired of seeing what to change in the policies 😕
k

Kevin Kho

06/23/2022, 7:52 PM
I know. Those are always very painful