2

I have been following this official doc from AWS on how to us secrets that are stored in Secret Manager in SAM template.yaml file, and here is what I have done:

 Environment:
        Variables:
          DUMMY_VARIABLE: '{{resolve:secretsmanager:dummy/secret:SecretString:key1}}'

Everything is working fine, and I can see the secrets is being retrieved, however, if I change the secret value in the secret manager, and redeploy the Lambda function via sam deploy command the value of the environment variable that is coming from Secret Manager remains unchanged.

I am not specifying the version stage, or version id, but I can fix the problem by specifying the versionID of the secret like below:

DUMMY_VARIABLE: '{{resolve:secretsmanager:dummy/secret:SecretString:key3::VERSION_ID_OF_THE_SECRET}}'

According to AWS official doc:

If you don't specify either a version stage or a version ID, then the default is to retrieve the version with the version stage value of AWSCURRENT.

My expection is that it should take the current value from Secret Manager without having to specify the Version ID, and Stage, but it seems not happening!

Benjamin
  • 3,499
  • 8
  • 44
  • 77

1 Answers1

2

On the same page there is this paragraph:

Updating a secret in Secrets Manager doesn't automatically update the secret in CloudFormation. In order for CloudFormation to update a secretsmanager dynamic reference, you must perform a stack update that updates the resource containing the dynamic reference, either by updating the resource property that contains the secretsmanager dynamic reference, or updating another of the resource's properties.For example, suppose in your template you specify the MasterPassword property of an AWS::RDS::DBInstance resource to be a secretsmanager dynamic reference, and then create a stack from the template. You later update that secret's value in Secret Manager, but don't update the AWS::RDS::DBInstance resource in your template. In this case, even if you perform a stack update, the secret value in the MasterPassword property isn't updated, and remains the previous secret value.

So, unfortunately, the secret value is stored in the stack itself. You may need to get the secret value explicitly via API in the code that needs to use it.

Dmitry Mukhin
  • 6,649
  • 3
  • 29
  • 31
  • this is such a bad limitation in my opinion. anyways, I have overcome the issue, by explicitly using the version number that comes from the secret manager, and update it each it it gets change, it's a ugly work, but it works. – Benjamin Jun 30 '21 at 14:54
  • Depending on your use case, you may have huge unexpected costs related to SM requests. E.g. a frequent and highly concurrent lambdas. – Dmitry Mukhin Jul 01 '21 at 10:51