ecs.Secret.fromSecretsManager generates secret name instead of secret ARN #10519
Comments
kastork
added
bug
SomayaB
added
@aws-cdk/aws-ecs
|
I have the exact same problem. I (falsely) understood that providing As a workaround we use: const secret = new custom.AwsCustomResource(this, "GetSecret", {
onUpdate: {
service: "SecretsManager",
action: "listSecrets",
parameters: {
Filters: [
{
Key: "name",
Values: "/my/cool/secret"
}],
SortOrder: "asc"
},
physicalResourceId: custom.PhysicalResourceId.of('MyCoolSecret')
},
policy: custom.AwsCustomResourcePolicy.fromSdkCalls({resources: custom.AwsCustomResourcePolicy.ANY_RESOURCE}),
});
const secretARN = secret.getResponseField("SecretList.0.ARN")But that is cumbersome. Especially when the secret has been encrypted with customer managed KMS key. You then need to make sure to give the proper permissions to the task execution role: taskDefinition.addToExecutionRolePolicy(new iam.PolicyStatement({actions: ['kms:Decrypt', 'kms:GenerateDataKey'], resources: ['*']}));
ecs.Secret.fromSecretsManager(
secretsManager.Secret.fromSecretArn(
this,
'ECSSecret',
secretARN
) |
|
CDK v1.67.0 Error message during cdk deploy process:
|
|
Darn, most CloudFormation usages of secrets are perfectly happy to take either the secret name or the full ARN; this appears to be one of the exceptions where only the ARN is acceptable. I wonder if it must be the full ARN, or if the ARN without the suffix is sufficient. If the latter, this might be a workaround: // Old way
// const mySecret = secretsMgr.Secret.fromSecretName(this,"mysecret",`${appSecretBase}/MySecret`);
// const mySecretEnv = ecs.Secret.fromSecretsManager(mySecret)
// New way
const mySecretArn = Stack.of(this).formatArn({
service: 'secretsmanager',
resource: 'secret',
resourceName: `${appSecretBase}/MySecret`,
sep: ':',
});
const mySecret = secretsMgr.Secret.fromSecretArn(this, 'mysecret', mySecretArn);
const mySecretEnv = ecs.Secret.fromSecretsManager(mySecret);The interesting bit is that for many other service integrations, the above absolutely won't work; if you don't have the full ARN with the Secrets Manager-generated suffix, you must just provide the secret name, and not the incomplete ARN. That's why If that works, then the real solution here is probably going to have to be some way for the Can someone confirm if the above work-around works for them? |
njlynch
added
effort/medium
The ability to import and reference a Secret purely by the secret name was introduced in #10309. One of the original requests was modelled after the integration with CodeBuild, where either the secret name or the full ARN -- including the SecretsManager-provided suffix -- were accepted, but not a "partial" ARN without the suffix. To ease integrations with other services in this case, the `secretArn` was defined as returning the `secretName` for these secrets imported by name. However, other services -- like ECS -- require that an ARN format is provided, even as a partial ARN. This introduces a dual behavior where sometimes the secretName works and partial ARN fails, and other times the partial ARN works and the secretName fails. This change introduces an option to the `fromSecretName` factory to control this behavior, so users can set up the secret properly for the service they are integrating with. *Disclaimer:* - I don't *love* this, and am very open to feedback on alternative approaches that would also be backwards compatible. Related changes -- I improved the suffix-strippiung logic of `parseSecretName` to only strip a suffix if it's exactly 6 characters long, as all SecretsManager suffixes are 6 characters. This prevents accidentally stripping the last word off of a hyphenated secret name like 'github-token'. fixes #10519
The ability to import and reference a Secret purely by the secret name was introduced in #10309. One of the original requests was modelled after the integration with CodeBuild, where either the secret name or the full ARN -- including the SecretsManager-provided suffix -- were accepted, but not a "partial" ARN without the suffix. To ease integrations with other services in this case, the `secretArn` was defined as returning the `secretName` for these secrets imported by name. However, other services -- like ECS -- require that an ARN format is provided, even as a partial ARN. This introduces a dual behavior where sometimes the secretName works and partial ARN fails, and other times the partial ARN works and the secretName fails. This change deprecates `fromSecretName` and introduces a new, better-behaved `fromSecretNameV2` that sets the ARN to a "partial" ARN without the Secrets Manager suffix. It also introduces a `secretFullArn` that is an optional version of `secretArn` that will be undefined for secrets imported by name. Related changes * I improved the suffix-strippiung logic of `parseSecretName` to only strip a suffix if it's exactly 6 characters long, as all SecretsManager suffixes are 6 characters. This prevents accidentally stripping the last word off of a hyphenated secret name like 'github-token'. * Updated the CodeBuild integration and added CodeBuild tests. fixes #10519
The ability to import and reference a Secret purely by the secret name was introduced in #10309. One of the original requests was modelled after the integration with CodeBuild, where either the secret name or the full ARN -- including the SecretsManager-provided suffix -- were accepted, but not a "partial" ARN without the suffix. To ease integrations with other services in this case, the `secretArn` was defined as returning the `secretName` for these secrets imported by name. However, other services -- like ECS -- require that an ARN format is provided, even as a partial ARN. This introduces a dual behavior where sometimes the secretName works and partial ARN fails, and other times the partial ARN works and the secretName fails. This change deprecates `fromSecretName` and introduces a new, better-behaved `fromSecretNameV2` that sets the ARN to a "partial" ARN without the Secrets Manager suffix. It also introduces a `secretFullArn` that is an optional version of `secretArn` that will be undefined for secrets imported by name. Related changes * I improved the suffix-strippiung logic of `parseSecretName` to only strip a suffix if it's exactly 6 characters long, as all SecretsManager suffixes are 6 characters. This prevents accidentally stripping the last word off of a hyphenated secret name like 'github-token'. * Updated the CodeBuild integration and added CodeBuild tests. fixes #10519
) The ability to import and reference a Secret purely by the secret name was introduced in #10309. One of the original requests was modelled after the integration with CodeBuild, where either the secret name or the full ARN -- including the SecretsManager-provided suffix -- were accepted, but not a "partial" ARN without the suffix. To ease integrations with other services in this case, the `secretArn` was defined as returning the `secretName` for these secrets imported by name. However, other services -- like ECS -- require that an ARN format is provided, even as a partial ARN. This introduces a dual behavior where sometimes the secretName works and partial ARN fails, and other times the partial ARN works and the secretName fails. This change deprecates `fromSecretName` and introduces a new, better-behaved `fromSecretNameV2` that sets the ARN to a "partial" ARN without the Secrets Manager suffix. It also introduces a `secretFullArn` that is an optional version of `secretArn` that will be undefined for secrets imported by name. Related changes * I improved the suffix-strippiung logic of `parseSecretName` to only strip a suffix if it's exactly 6 characters long, as all SecretsManager suffixes are 6 characters. This prevents accidentally stripping the last word off of a hyphenated secret name like 'github-token'. * Updated the CodeBuild integration and added CodeBuild tests. fixes #10519 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
What did you expect to happen?
Expect the fargate task to launch
What actually happened?
Fargate task failed to launch with the following error:
Notice, the error is complaining about SSM (parameter store), not Secrets Manager.
Environment
Other
Looking at the generated secrets configuration, I see
This is a simple parameter name, NOT an ARN to a secret in secret manager, which is what the CloudFormation docs indicate should be here.
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: