Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
SSM Secure Parameter Version ignored in ARN
See original GitHub issueWe create a secure string parameter in SSM and pass it down to an ECS service via a TaskDefinition (inside a ContainerDefinition) as Secret. However, the version of the secure string seems to be ignored when the CloudFormation ARN for the secret in the ECS task definition is created.
Reproduction Steps
const param = StringParameter.fromSecureStringParameterAttributes(construct, "SecretParameterForEcsTaskDefinition" {
simpleName: false,
parameterName: "some-name",
version: 2,
});
const secret = Secret.fromSsmParameter(param);
// pass the secret to ECS task definition via secrets property
...
const options: ContainerDefinitionOptions = {
...
secrets: {
"some-key": secret,
}
}
Error Log
Not an error, but the parameter version is not pinned. The ECS task definition contains the following:
...
"secrets": [
{
"valueFrom": "arn:aws:ssm:eu-central-1:xxxxxxxxxx:parameter/some-name",
"name": "some-key"
}
]
I would expect the ARN to end with: some-name:2.
Environment
- CLI Version : 1.39.0 (build 5d727c1)
- Framework Version: 1.39.0
- Node.js Version: v12.16.3
- OS : Linux
- Language (Version): TypeScript
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Reactions:7
- Comments:7 (2 by maintainers)
Top Results From Across the Web
Troubleshooting Parameter Store - AWS Systems Manager
Problem: You just ran a command to create an aws:ec2:image parameter and a version number was reported, but the parameter isn't available.
Read more >get-parameter — AWS CLI 2.9.9 Command Reference
Return decrypted values for secure string parameters. This flag is ignored for String and StringList parameter types. --cli-input-json | --cli-input-yaml ( ...
Read more >AWS Parameter Store - External Secrets Operator
A ParameterStore points to AWS SSM Parameter Store in a certain account within a ... ParameterStore creates a new version of a parameter...
Read more >AWS Parameter Store vs Secrets Manager - CoreStack
Storing credentials directly into code or using unencrypted configuration files is poor practice. Secure credential management is therefore important to proper ...
Read more >CloudFormation unable to access SSM parameters in ...
Ok - so in this case it turns out there was a JSON parameters file that was part of the build pipeline that...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I did a bit of digging, it appears one can’t specify the version of a SSM Parameter in a task def, so no amount of wishing in the CDK will make it happen. One either needs to use Secrets Manager (which one can (must) specify versions for), or the ECS service itself needs to be changed to support passing in SSM parameter versions.
This is the corresponding feature request on the containers roadmap https://github.com/aws/containers-roadmap/issues/636
It was closed after implementing support for versioned secrets for Secret Store, but not SSM Parameters.