I have a php application running on ECS Fargate 1.14. aws-sdk-php version is 3.
I want to get secret value stored in AWS SecretsManager by IAM Role, not by AWS Access key/ID for a security reason. I set SecretsManagerClient like this.
$config = [
'version' => '2017-10-17',
'region' => 'ap-northeast-1',
];
return new SecretsManagerClient($config);
I didn’t add ‘credentials’ because I want to access SecretsManager by IAM role.
The “Task Role” (not Task Execution Role) of my container has policy “SecretsManagerReadWrite”.
However, I can’t access SecretsManager with this error.
Error: [Aws\Exception\CredentialsException] Error retrieving credentials from the instance profile metadata service. (cURL error 7: (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)) in /share/swell/cgi-bin/vendor/aws/aws-sdk-php/src/Credentials/InstanceProfileProvider.php on line 240
What does this message means?
I know AWSClient looks for credentials in a order below:
1 Load credentials from environment variables.
2 Load credentials from a credentials .ini file.
3 Load credentials from an IAM role.
Doesn't this situation apply to No.3?
Or am I attaching the wrong policy?
Add info on 2021/06/18
I changed the policy attached to ECS Task Role to "PowerUserAccess". The error message changed to 404.
2021-06-18 01:52:12 Error: [Aws\Exception\CredentialsException] Error retrieving credentials from the instance profile metadata service. (Client error: `GET http://169.254.169.254/latest/meta-data/iam/security-credentials/` resulted in a `404 Not Found` response:
