Question

My java code contains the following snippet:

final AWSSecretsManager client = AWSSecretsManagerClientBuilder
                .standard()
                .withRegion("us-west-1")
                .withCredentials(CredentialsProviderChain.getInstance())
                .build();
final GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest()
                .withSecretId(secretName);
final GetSecretValueResult getSecretValueResult = client.getSecretValue(getSecretValueRequest);

I’m running this as a task inside ECS, where the task is given an appropriate Task Role to access the secrets manager. However, when I try to start my service, I get the following error:

Fail to retrieve token {} com.amazonaws.SdkClientException: Failed to connect to service endpoint: 
  at com.amazonaws.internal.EC2ResourceFetcher.doReadResource(EC2ResourceFetcher.java:119) 
  at com.amazonaws.internal.InstanceMetadataServiceResourceFetcher.getToken(InstanceMetadataServiceResourceFetcher.java:106) 
  at com.amazonaws.internal.InstanceMetadataServiceResourceFetcher.readResource(InstanceMetadataServiceResourceFetcher.java:77) 
  at com.amazonaws.internal.EC2ResourceFetcher.readResource(EC2ResourceFetcher.java:66)   at com.amazonaws.auth.InstanceMetadataServiceCredentialsFetcher.getCredentialsEndpoint(InstanceMetadataServiceCredentialsFetcher.java:61) 
  at com.amazonaws.auth.InstanceMetadataServiceCredentialsFetcher.getCredentialsResponse(InstanceMetadataServiceCredentialsFetcher.java:49) 
  at com.amazonaws.auth.BaseCredentialsFetcher.fetchCredentials(BaseCredentialsFetcher.java:154) 
  at com.amazonaws.auth.BaseCredentialsFetcher.getCredentials(BaseCredentialsFetcher.java:96) 
  at com.amazonaws.auth.InstanceProfileCredentialsProvider.getCredentials(InstanceProfileCredentialsProvider.java:174) 
  at com.amazonaws.auth.AWSCredentialsProviderChain.getCredentials(AWSCredentialsProviderChain.java:118) 
  at com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1269) 
  at  ...

That InstanceProfileCredentialsProvider looks incorrect to me – shouldn’t the CredentialsProviderChain be choosing EC2ContainerCredentialsProviderWrapper instead? Do I need to specify EC2ContainerCredentialsProvider here? I run some code inside EC2, and some inside ECS, so I want my library code to just figure things out here, if possible.

Java ECS Task using wrong credentials provider

LEAVE A COMMENT Hủy