# ask-community

Alexander Whillas

09/01/2022, 2:24 AM
just to confirm: its the daemon process that runs the sensors and so if the sensor reads from an SQS queue, it is the daemon only that needs access to that queue?


09/01/2022, 12:50 PM
that's correct

Alexander Whillas

09/01/2022, 9:57 PM
turns out its the user code that needs the permissions(???). I having issues now trying to hook into the secrets management stuff I've given the user_code task execution_role access to the secrets manager but its failing to start the container
Copy code
ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secret from asm: service call has been retried 1 time(s): failed to fetch secret arn:aws:secretsmanager:ap-southeast-1:...:SOMTHING-blah from secrets manager
I'll try the daemon execution role and then the tasks roles and then... not sure. The documentation for the AWS/ECS need to be updated to include the permissions needed to get it going or at least a full working example. I'll publish my CDK script somewhere once i get it working (if you like).
looks like it was the daemon execution role