Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Secrets Manager - DocumentDB Construct

See original GitHub issue

❓ General Issue

Secret’s value is not passed into a construct for DocumentDB, rather the whole SecretString is passed instead.

The Question

How does one resolve a SecretString from SecretsManager into a construct for DocumentDB? Is this possible?

It passes : {resolve:secretsmanager:arn:aws:secretsmanager:us-east-2:****secret:cdk/docdb-****:SecretString:password::} but not the actual value

Code:

    // Get Secret Values for Username and Password
    const secret = sm.Secret.fromSecretAttributes(this, 'cdk/docdb', {
      secretArn: '',
    });

    const credentials = {
      username : secret.secretValueFromJson('username'),
      password : secret.secretValueFromJson('password') 
    };

.....

  // Create documentdb cluster
    const sfDocCluster = new docdb.CfnDBCluster(
      this,
      "StorefrontDocdbCluster",
      {
        storageEncrypted: true,
        availabilityZones: vpc.availabilityZones.splice(3),
        dbClusterIdentifier: "StorefrontDocdbCluster",
        masterUsername: credentials.username,
        masterUserPassword: credentials.password,
        vpcSecurityGroupIds: [sfSecurityGroup.securityGroupName],
        dbSubnetGroupName: sfSubnetGroup.dbSubnetGroupName,
        dbClusterParameterGroupName: sfDocParamGroup.name,
        port
      }
    );

Console Result:

StorefrontDocdbCluster Property validation failure: 

[Length of value {{{resolve:secretsmanager:arn:aws:secretsmanager:us-east-2:****secret:cdk/docdb-****:SecretString:password::}}} for property {/MasterUserPassword} is greater than maximum allowed length {41}, 

Length of value {{{resolve:secretsmanager:arn:aws:secretsmanager:us-east-2:****:secret:cdk/docdb-****:SecretString:username::}}} for property {/MasterUsername} is greater than maximum allowed length {63}]

Environment

CDK CLI Version: 1.5
Module Version:
OS: OSX Mojave
Language: TypeScript

Other information

Issue Analytics

State:
Created 4 years ago
Comments:11 (7 by maintainers)

Top GitHub Comments

2reactions

jogoldcommented, Aug 23, 2019

I don’t know, the documentation says:

The secretsmanager dynamic reference can be used in all resource properties.

But apparently there are some bugs here and there.

1reaction

jogoldcommented, Oct 18, 2019

This is an issue with CloudFormation itself and how it resolves/validates username and password for a AWS::DocDB::DBCluster, see aws-cloudformation/aws-cloudformation-coverage-roadmap#94 and https://forums.aws.amazon.com/thread.jspa?messageID=891456#891456

Top Results From Across the Web

How Amazon DocumentDB (with MongoDB compatibility ...

In Amazon DocumentDB, users authenticate to a cluster in conjunction with a password. With AWS Secrets Manager, you can replace hardcoded credentials in ......

AWS Secrets Manager integration

Create a secret in Secrets Manager that contains your Amazon DocumentDB cluster name, username, and password. Securely access your Amazon DocumentDB cluster ...

AWS Secrets Manager in Use for DocumentDB Databases

With Amazon Secrets Manager you can secure and manage database credentials used to access DocumentDB database clusters provisioned in your AWS ...

Amazon DocumentDB and AWS Secrets Manager Integration

In this video, you will learn how to leverage AWS secrets manager to store and rotate credentials for Amazon DocumentDB.

Create an Amazon Secrets Manager secret with automatic ...

This example creates a secret and an Amazon DocumentDB instance using the credentials in the secret as the user and password. The secret...