Experience running in ECS containers?
jdelStrother opened this issue · 2 comments
Can I ask if you've tried running pstore within an ECS container? I'm really not sure why mine's not working, was wondering if it was a known problem.
I'm running a container on an Amazon ECS-optimized instance. My container has a task role to give it access to my SSM keys. Within the container, curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
gives the correct role.
Additionally, I can fetch the keys successfully using the aws-cli tool:
aws ssm get-parameters --region=eu-west-1 --names imogen.license --with-decryption
However, pstore seems to be unable to fetch the same key:
$ AWS_REGION=eu-west-1 PSTORE_LICENSE=imogen.license pstore exec --verbose -- /bin/bash -c 'echo val is $LICENSE'
✗ Failed to decrypt imogen.license=LICENSE (request ID: 5181b60f-be6c-11e7-af11-63590df9a94d)
ERROR: Failed to decrypt some secret values
It doesn't seem to make a difference if the parameter is encrypted or not. Can I do anything to narrow the problem down?
Hiya! Sorry for the slow response, I was on vacation and just got back.
Yes, ECS is the primary environment in which I've been running pstore. I've been meaning to add more documentation to the README for a complete example of how to use it - especially because I think I might know what the problem is.
I switched to using the GetParameter
API in places instead of GetParameters
- notice the singular form instead of plural. This is a newer API and annoyingly (but understandably) IAM distinguishes between these two actions. I suppose you have granted the IAM task role access to iam:GetParameters
but not iam:GetParameter
.
Another source of issues (probably) would be that when specifying parameters by tag (instead of by name) I am still using GetParameters
! I should probably use one or the other, but not both.
Let me know if that solves your issue. I'll update the docs too!
Sorry - I finally managed to get some time to look at this again, and you were completely right - I was missing iam:GetParameter
. Thanks for the help!