I'm bootstrapping an ECS Cluster with AWS CDK.
I created SecureStrings in SSM which I want to pass to the container secrets.
But when starting the service I get the following error message on the task:
"ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secrets from ssm: service call has been retried 1 time(s): AccessDeniedException: User: arn:aws:sts::<ACCOUNT_ID>:assumed-role..."
The task runs in a private VPC, so I attached a VPC endpoint for service name com.amazonaws.eu-central-1.ssm to the VPC (both subnets). I also created a security group that allows TCP 443 INBOUND from 0.0.0.0/0 and attached that security group to the VPC endpoint.
I have no clue what I should do for troubleshooting.
Best Answer
The fact you are getting an access denied may mean you don't have the proper permissions specified in the Task role. Check out the considerations listed here.