Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS Secrets Manager can’t find the specified secret

I'm using AWS Fargate and storing sensitive data with Secrets Manager. Task definition should get environment variables from secrets store

- name: "app"
  image: "ecr-image:tag"
  essential: true
  secrets:
    - name: "VAR1"
      valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-one-secret"
    - name: "VAR2"
      valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-two-secret"
    - name: "VAR3"
      valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-two-private"

but for some reason it fails with the error below

ResourceNotFoundException: Secrets Manager can’t find the specified secret. status code: 400, request id

It seems a bit strange to me because

  • IAM has permissions for get secret value, moreover

  • when leaving only VAR1 variable everything works as expected

  • AWS CLI is able to retrieve each secret without any issue

e.g.

aws secretsmanager get-secret-value --secret-id var-two-secret

What might be wrong with my configuration? Any hints appreciated

like image 863
Most Wanted Avatar asked Sep 06 '19 12:09

Most Wanted


People also ask

How do I find secret secret Manager on AWS?

You can retrieve your secrets by using the console (https://console.aws.amazon.com/secretsmanager/ ) or the AWS CLI ( get-secret-value ). In applications, you can retrieve your secrets by calling GetSecretValue in any of the AWS SDKs. However, we recommend that you cache your secret values by using client-side caching.

How do you add secrets in secret Manager?

Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/ . Choose Store a new secret. On the Choose secret type page, do the following: For Secret type, choose Other type of secret.

What is secret ID in AWS Secret Manager?

Secret. The name of the secret, a description, a resource policy, and tags. The ARN for an encryption key, an AWS KMS key that Secrets Manager uses to encrypt and decrypt the secret value. Secrets Manager stores secret text in an encrypted form and encrypts the secret in transit.

How do I access AWS Secret Manager locally?

Open the Amazon VPC console, select Endpoints, and then select Create Endpoint. Select AWS Services as the Service category, and then, in the Service Name list, select the Secrets Manager endpoint service named com. amazonaws.


1 Answers

ok, so the trick was to specify ARN explicitly. Instead of just providing secret name you should use full identifier

arn:aws:secretsmanager:us-east-1:111222333444:secret:var-two-secret-ID0o2R

Note -ID0o2R suffix at the end of secret name.

It's still not clear for me why for some variables it works without it.

UPD

However, if your secret has a name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six characters to the ARN) and you try to use that as a partial ARN, then those characters cause Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected results.

So as you can see from my variable name containing a hyphen Secrets Manager had hard times when resolving it by short name

like image 81
Most Wanted Avatar answered Oct 11 '22 14:10

Most Wanted