0

I have a fargate instance which uses AWS secrets to fetch database credentials but it cannot read the credentials.

Fetching secrets works in Lambda as well as running it locally if I provide a key locally. I can print and log the values and the code executes in the last two cases. The library used to fetch th secrets are the same in the fargate docker image, the lambda and local tests(apart from needing to provide an access key locally)

I am using Terraform to create my EC2, and I gave my ec2 these riles.

"Action": [
    "secretsmanager:GetResourcePolicy",
    "secretsmanager:GetSecretValue",
    "secretsmanager:DescribeSecret",
    "secretsmanager:ListSecretVersionIds"
  ],
  "Effect": "Allow",
  "Resource": [
        "arn:aws:secretsmanager:eu-west-2:xxxxxxx:secret:xxx-xxx-xxx"
    ]

The error I am getting is simply

Unable to locate credentials

This is my first fargate app. My health-check works and the code executes until this point.

My code looks like this

    endpoint_url = "https://xxxxxx.eu-west-2.amazonaws.com"
    secret_name = secret
    region_name = "eu-west-2"

    logger.info("Pre secrets")
    try:
        session = boto3.session.Session()
    except Exception as e:
        logger.info(e)

    client = session.client(
        service_name="secretsmanager",
        region_name=region_name,
        endpoint_url=endpoint_url,
    )

Is there anything I could have overlooked that I need to look at?

Thank you,

user3454396
  • 403
  • 4
  • 11

1 Answers1

0

I think the arn is missing six random characters that are part of secret's ARN as explained in the docs.

So you have to either provide these six missing characters, or use special placholder ?????:

Action": [
    "secretsmanager:GetResourcePolicy",
    "secretsmanager:GetSecretValue",
    "secretsmanager:DescribeSecret",
    "secretsmanager:ListSecretVersionIds"
  ],
  "Effect": "Allow",
  "Resource": [
        "arn:aws:secretsmanager:eu-west-2:xxxxxxx:secret:xxx-xxx-xxx-??????"
    ]
Marcin
  • 215,873
  • 14
  • 235
  • 294