My java code contains the following snippet:
final AWSSecretsManager client = AWSSecretsManagerClientBuilder
.standard()
.withRegion("us-west-1")
.withCredentials(CredentialsProviderChain.getInstance())
.build();
final GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest()
.withSecretId(secretName);
final GetSecretValueResult getSecretValueResult = client.getSecretValue(getSecretValueRequest);
I’m running this as a task inside ECS, where the task is given an appropriate Task Role to access the secrets manager. However, when I try to start my service, I get the following error:
Fail to retrieve token {} com.amazonaws.SdkClientException: Failed to connect to service endpoint:
at com.amazonaws.internal.EC2ResourceFetcher.doReadResource(EC2ResourceFetcher.java:119)
at com.amazonaws.internal.InstanceMetadataServiceResourceFetcher.getToken(InstanceMetadataServiceResourceFetcher.java:106)
at com.amazonaws.internal.InstanceMetadataServiceResourceFetcher.readResource(InstanceMetadataServiceResourceFetcher.java:77)
at com.amazonaws.internal.EC2ResourceFetcher.readResource(EC2ResourceFetcher.java:66) at com.amazonaws.auth.InstanceMetadataServiceCredentialsFetcher.getCredentialsEndpoint(InstanceMetadataServiceCredentialsFetcher.java:61)
at com.amazonaws.auth.InstanceMetadataServiceCredentialsFetcher.getCredentialsResponse(InstanceMetadataServiceCredentialsFetcher.java:49)
at com.amazonaws.auth.BaseCredentialsFetcher.fetchCredentials(BaseCredentialsFetcher.java:154)
at com.amazonaws.auth.BaseCredentialsFetcher.getCredentials(BaseCredentialsFetcher.java:96)
at com.amazonaws.auth.InstanceProfileCredentialsProvider.getCredentials(InstanceProfileCredentialsProvider.java:174)
at com.amazonaws.auth.AWSCredentialsProviderChain.getCredentials(AWSCredentialsProviderChain.java:118)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1269)
at ...
That InstanceProfileCredentialsProvider
looks incorrect to me – shouldn’t the CredentialsProviderChain
be choosing EC2ContainerCredentialsProviderWrapper
instead? Do I need to specify EC2ContainerCredentialsProvider here? I run some code inside EC2, and some inside ECS, so I want my library code to just figure things out here, if possible.