AWS CDK - Possible to access individual (JSON) value within a Secrets Manager secret when specifying secrets for a container?

Question

I'm trying to put together a relatively simple stack on AWS CDK that involves an ApplicationLoadBalancedFargateService from aws-ecs-patterns.

My problem involves secrets. I have a secret in Secrets Manager that has several key/values (I think technically it's stored as a JSON doc, but AWS provides a key/val interface), and I need to pass them to my containers individually. I do this currently in an equivalent non-cdk (made in the console) stack by simply specifying the key, like this: arn:aws:secretsmanager:us-west-2:[acct]:secret/name-??????:KEY::, where `KEY is the secret key, and the correct value is inserted into the container as an env var.

When I try to do that with CDK, I get an error when I cdk synth:

`secretCompleteArn` does not appear to be complete; missing 6-character suffix

If I remove the last bit (:KEY::), it successfully synths, but my container isn't actually getting what I want.

This is how I'm trying to use it in my cdk (typescript) code:

new ApplicationLoadBalancedFargateService(this, 'Service', {
  ...
  taskImageOptions: {
    image: containerImage, // defined elsewhere
    ...
    secrets: {
      'DB_DATABASE': ecs.Secret.fromSecretsManager(
        Secret.fromSecretCompleteArn(this, 'secret-DB_DATABASE', 
         'arn:aws:secretsmanager:us-west-2:[acct]:secret:secret/name-??????:KEY::')),

      //there's really a few more, pulling keys from the same secret.  Omitting for brevity
    },
  },   
});

Is there a way to to make this work? Or do I need to change the way I store/use my secrets?

score 6 · Accepted Answer · answered May 28 '21 at 09:43

6

This is how you pass a specific key as environment variable to your container:

const mySecret = secretsmanager.Secret.fromSecretCompleteArn('<your arn>');

taskDefinition.addContainer('MyContainer', {
  // ... other props ...
  secrets: {
    SECRET_KEY: ecs.Secret.fromSecretsManager(mySecret, 'specificKey'),
  },
});

or with the ApplicationLoadBalancedFargateService:

new ApplicationLoadBalancedFargateService(this, 'Service', {
  ...
  taskImageOptions: {
    image: containerImage, // defined elsewhere
    ...
    secrets: {
      'DB_DATABASE': ecs.Secret.fromSecretsManager(mySecret, 'specificKey'),
    },
  },   
});

answered May 28 '21 at 09:43

jogold

6,667
23
41

I am getting: no identity-based policy allows the secretsmanager:GetSecretValue action status code: 400 when my fargate task starts up. I defined it using the: ApplicationLoadBalancedFargateService Is there a way to allow the task to read the secrets? – Capaj Aug 16 '22 at 13:17
1

@Capaj the permission should be given automatically, see https://github.com/aws/aws-cdk/blob/main/packages/@aws-cdk/aws-ecs/lib/container-definition.ts#L60 – jogold Aug 19 '22 at 13:44

AWS CDK - Possible to access individual (JSON) value within a Secrets Manager secret when specifying secrets for a container?

1 Answers1