fix: add permisson to task execution role policy

src/ContainerCluster.ts

@@ -411,6 +411,7 @@ export class ContainerClusterStack extends Stack {
       environment: {
         IRMA_GW_URL: this.hostedzone.zoneName, // protocol prefix is added in the container
       },
+      secretsKmsKeyArn: ssm.StringParameter.valueForStringParameter(this, Statics.ssmProtectionKeyArn),
     });
 
     // Allow role to use the protection key for accessing the secrets on startup

src/ParameterStack.ts

@@ -38,7 +38,6 @@ export class SecretsStack extends Stack {
   }
 
 
-
   createYiviProtectionKey() {
     const key = new kms.Key(this, 'protection-key', {
       description: 'Key for protecting access to secrets for Yivi',

src/constructs/EcsFargateService.ts

@@ -4,6 +4,7 @@ import {
   aws_secretsmanager as secrets,
   aws_cloudwatch as cloudwatch,
   aws_elasticloadbalancingv2 as loadbalancing,
+  aws_iam as iam,
 } from 'aws-cdk-lib';
 import { SecurityGroup, SubnetType } from 'aws-cdk-lib/aws-ec2';
 import { Construct } from 'constructs';
@@ -78,6 +79,12 @@ export interface EcsFargateServiceProps {
    */
   environment?: { [key: string]: string };
 
+  /**
+   * The ARN of the key used to encrypt the secrets
+   * (execution role is given permissions to access the key)
+   */
+  secretsKmsKeyArn?: string;
+
 }
 
 /**
@@ -165,6 +172,14 @@ export class EcsFargateService extends Construct {
       secrets: props.secrets,
       environment: props.environment,
     });
+
+    if (props.secretsKmsKeyArn) {
+      taskDef.addToExecutionRolePolicy(new iam.PolicyStatement({
+        effect: iam.Effect.ALLOW,
+        actions: ['kms:Decrypt'],
+        resources: [props.secretsKmsKeyArn],
+      }));
+    }
     return taskDef;
   }