Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[aws-ecs][aws-secretsmanager] Secret lookup fails if the secret is looked up by name and has a `-` in the name
See original GitHub issueIt appears that when I try to pull an existing secret using fromSecretNameV2 and pass it to secrets in ecs using ecs.Secret.fromSecretsManager, if the secret has a - character in the name, container is not able to identify the secret and returns a 400. This works in the exact same setup if the secret has no -.
Reproduction Steps
const creds = secretsmanager.Secret.fromSecretNameV2(
this,
'someID,
'my-name-with-dash', // my/name-with-dash doesn't work either, jwt/myNameWithoutDash works
);
creds.grantRead(this.executionRole);
const secrets = {
MY_SECRET: ecs.Secret.fromSecretsManager(creds)
}
const taskDef = ...
const container = taskDef.addCOntainer('name', { secrets })
// ... launch fargate cluster
What did you expect to happen?
Expect the secrets to be passed securely to the container and made available there.
What actually happened?
The service failed to start with error:
Fetching secret data from AWS Secrets Manager in region us-east-1: secret arn:aws:secretsmanager:us-east-1:172456244520:secret:my-name-with-dash: ResourceNotFoundException: Secrets Manager can't find the specified secret. status code: 400, request id: 92e16bc3-a734-441e-ba39-64faaf48cc9e;
Environment
- **CDK CLI Version : 1.73
- Framework Version:
- Node.js Version: 14.14
- OS : Docker Alpine run on MacOS BigSur
- Language (Version): Typescript 3.9
Other
I’m wondering if it has to do with the fact that the random suffix on aws arn is separated by a dash? When we look up the secret by name that suffix is missing, as discussed here: https://github.com/aws/aws-cdk/issues/6889
Maybe if its missing but the secret has a dash it in, the arn lookup becomes ambiguous somehow? Just a guess.
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Comments:6 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Wow. I’ve wasted several days trying to understand why my secret cannot be found and it turns out to be due to, I’m sorry to say, an incredibly poor implementation by AWS. “Sorry folks, if your secret name ends with a hyphen followed by 6 characters, you’re out of luck, try 5 characters or maybe 7 characters.” Really?! Are you serious?
This just happened to me as well, I was retrieving a secret with
Secret.fromSecretNameV2()and it kept failing as I thought it was something bad on my implementation, then I arrived at this thread, changed my secret fromtest-usertotestuserand suddenly the deployment succeeds! I’m using the latest version ofaws-cdk-libso this is still a bug.