Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

docdb: Cannot create database cluster: cannot find value in secret string

See original GitHub issue

I’m unable to create a Database Cluster and keep receiving this error: Could not find a value associated with JSONKey in SecretString.

Reproduction Steps

My Database Cluster:

constructor(scope: cdk.Construct, id: string, props: SharedResources) {
    super(scope, id, props);

    // Create the Database
    this.databaseCluster = new DatabaseCluster(this, 'todos-database', {
        masterUser: {
            username: this.clusterUsername, // NOTE: 'admin' is reserved by DocumentDB
        },
        instanceType: InstanceType.of(InstanceClass.M3, InstanceSize.MEDIUM),
        vpcSubnets: {
            subnetType: SubnetType.PRIVATE
        },
        vpc: props.vpc,
        dbClusterName: "todos-database-cluster",
    });
}

What did you expect to happen?

A DatabaseCluster to be created with a password generated in secrets manager.

What actually happened?

I am seeing the following error in Cloud Formation: Could not find a value associated with JSONKey in SecretString

Environment

CDK CLI Version : 1.97.0 (build c52c2dc)
Framework Version: 1.97.0
Node.js Version: v14.16.0
OS : MacOS 11.2.3
Language (Version): Typescript 3.8.3

Other

I’ve also attempted to create the secret value manually:

  constructor(scope: cdk.Construct, id: string, props: SharedResources) {
    super(scope, id, props);

    // Database Password
    const templatedSecret = new Secret(this, 'TemplatedSecret', {
      generateSecretString: {
        secretStringTemplate: JSON.stringify({}),
        generateStringKey: 'password',
      },
    });

    // Create the Database
    this.databaseCluster = new DatabaseCluster(this, 'todos-database', {
        masterUser: {
            username: this.clusterUsername, // NOTE: 'admin' is reserved by DocumentDB
            password: templatedSecret.secretValueFromJson("password")
        },
        instanceType: InstanceType.of(InstanceClass.M3, InstanceSize.MEDIUM),
        vpcSubnets: {
            subnetType: SubnetType.PRIVATE,
        },
        vpc: props.vpc,
        dbClusterName: "todos-database-cluster"
    });
}

And received this error:

AppStack/todos-database/Resource [AWS::DocDB::DBCluster] is missing required property: masterUsername

/Users/ryan/Source/Repos/infra-demo-lnl/aws/node_modules/@aws-cdk/aws-docdb/lib/docdb.generated.ts:454
        inspector.addAttribute("aws:cdk:cloudformation:type", CfnDBClusterParameterGroup.CFN_RESOURCE_TYPE_NAME);
                            ^
While synthesizing AppStack/todos-database/Resource: Cannot read property 'renderTags' of undefined

This is 🐛 Bug Report

Issue Analytics

State:
Created 2 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

peterwoodworthcommented, Apr 20, 2021

Thank you for providing the repo! I was able to clone it and reproduce the error you got.

Here’s the relevant cdk synth output:

todosdatabaseSecretD17DF9C9:
    Type: AWS::SecretsManager::Secret
    Properties:
      Description:
        Fn::Join:
          - ""
          - - "Generated by the CDK for stack: "
            - Ref: AWS::StackName
      GenerateSecretString:
        ExcludeCharacters: '"@/'
        GenerateStringKey: password
        PasswordLength: 41
        SecretStringTemplate: "{}"

todosdatabase2F2D1C05:
    Type: AWS::DocDB::DBCluster
    Properties:
      MasterUsername:
        Fn::Join:
          - ""
          - - "{{resolve:secretsmanager:"
            - Ref: todosdatabaseSecretD17DF9C9
            - :SecretString:username::}}
      MasterUserPassword:
        Fn::Join:
          - ""
          - - "{{resolve:secretsmanager:"
            - Ref: todosdatabaseSecretD17DF9C9
            - :SecretString:password::}}
      DBClusterIdentifier: test-database-cluster
      DBSubnetGroupName:
        Ref: todosdatabaseSubnetsDF7E1047
      StorageEncrypted: true
      VpcSecurityGroupIds:
        - Fn::GetAtt:
            - todosdatabaseSecurityGroup1EECD80B
            - GroupId

0reactions

github-actions[bot]commented, Apr 29, 2021

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

Top Results From Across the Web

New-DOCDBCluster Cmdlet | AWS Tools for PowerShell

Calls the Amazon DocumentDB (with MongoDB compatibility) CreateDBCluster API operation. ... Cannot be a reserved word for the chosen database engine.

SecretsManager — Boto3 Docs 1.26.37 documentation

To create a secret, you can provide the secret value to be encrypted in either the SecretString parameter or the SecretBinary parameter, but...

AWS Secrets Manager in Use for DocumentDB Databases

Secrets Manager service will store MongoDB-compatible database credentials as part of the encrypted secret value (within the "SecretString" ...

AWS secrets manager, 'A previous rotation isn't complete ...

aws secretsmanager get-secret-value \ --secret-id thefrog ... I just had one secret I could not rotate, kept getting the "A previous ...

mongorestore — MongoDB Database Tools

mongodump and mongorestore cannot be part of a backup strategy for 4.2+ sharded clusters that have sharded transactions in progress, as backups created...