I'm using AWS Fargate and storing sensitive data with Secrets Manager. Task definition should get environment variables from secrets store
- name: "app"
image: "ecr-image:tag"
essential: true
secrets:
- name: "VAR1"
valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-one-secret"
- name: "VAR2"
valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-two-secret"
- name: "VAR3"
valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-two-private"
but for some reason it fails with the error below
ResourceNotFoundException: Secrets Manager can’t find the specified secret. status code: 400, request id
It seems a bit strange to me because
IAM has permissions for get secret value, moreover
when leaving only VAR1
variable everything works as expected
AWS CLI is able to retrieve each secret without any issue
e.g.
aws secretsmanager get-secret-value --secret-id var-two-secret
What might be wrong with my configuration? Any hints appreciated
You can retrieve your secrets by using the console (https://console.aws.amazon.com/secretsmanager/ ) or the AWS CLI ( get-secret-value ). In applications, you can retrieve your secrets by calling GetSecretValue in any of the AWS SDKs. However, we recommend that you cache your secret values by using client-side caching.
Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/ . Choose Store a new secret. On the Choose secret type page, do the following: For Secret type, choose Other type of secret.
Secret. The name of the secret, a description, a resource policy, and tags. The ARN for an encryption key, an AWS KMS key that Secrets Manager uses to encrypt and decrypt the secret value. Secrets Manager stores secret text in an encrypted form and encrypts the secret in transit.
Open the Amazon VPC console, select Endpoints, and then select Create Endpoint. Select AWS Services as the Service category, and then, in the Service Name list, select the Secrets Manager endpoint service named com. amazonaws.
ok, so the trick was to specify ARN explicitly. Instead of just providing secret name you should use full identifier
arn:aws:secretsmanager:us-east-1:111222333444:secret:var-two-secret-ID0o2R
Note -ID0o2R
suffix at the end of secret name.
It's still not clear for me why for some variables it works without it.
UPD
However, if your secret has a name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six characters to the ARN) and you try to use that as a partial ARN, then those characters cause Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected results.
So as you can see from my variable name containing a hyphen Secrets Manager had hard times when resolving it by short name
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With