Terraform AWS secret manager valueFrom syntax

Question

Im trying to provision a service on ECS using Terraform. I have secrets in AWS Secrets Manager:

{
   "test": "secret"
}

and provide them to my task definition as follows:

 ....
 "secrets": ${jsonencode(
   [
     {
       name = "test_1",
       valueFrom = "arn:aws:secretsmanager:....../test"
     }
   ]
  ....

When I deploy my container, it complains that ResourceNotFoundException: Secrets Manager can't find the specified secret, which makes sense, because such an ARN does not exist. If I drop /test on the end, however, I get test_1 = {"test": "secret"} in my environment, which is ok but not what I want - I want just secret. Thats how it works in examples that I have seen, like for instance here - https://www.chakray.com/creating-fargate-ecs-task-aws-using-terraform/

What am I missing?

You are not missing anything, what you want is simply not really possible. You get the secret value and that's it, if you not want it to be a json don't store it as a json, the secret parameter value can simply be `secret` instead of `{"test": "secret"}`. — luk2302, Aug 11 '21 at 20:01
ah. the way AWS prompts the values is a bit misleading. This should be the answer. — kot, Aug 11 '21 at 20:27
I'm not using Terraform, but creating a task within AWS Console. I've tried `arn:aws:secretsmanager:......:test::` (note the double colons) and it worked for me. For details please see [amazon ecs - AWS ECS - How to retrieve specific key from secret manager? - Stack Overflow](https://stackoverflow.com/q/57191835). — li ki, Mar 20 '22 at 12:24
In addition, `arn:aws:ssm:::parameter/` (from the blog post you mentioned) is a Systems Manager Parameter syntax, you should not mix it with Secrets Manager. Please see [Specifying sensitive data using Systems Manager Parameter Store - Amazon Elastic Container Service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data-parameters.html). — li ki, Mar 20 '22 at 12:41

score 2 · Answer 1 · answered Aug 20 '22 at 19:36

In your case, you're looking to use a single key from a secret (which holds a key value pair)

The syntax for valueFrom is

arn:aws:secretsmanager:region:aws_account_id:secret:secret-name:json-key:version-stage:version-id

For easier understanding, you can assume like

"${your_secrets.arn}:${keyname}::"

For example, if your secretname is prod-db-credentials with value

{ "username": "dbuser", "password": "dbpass" }

Then your task definition should be like

{
  "containerDefinitions": [{
    "secrets": [{
      "name": "environment_variable_name",
      "valueFrom": "arn:aws:secretsmanager:ap-southeast-2:222000000036:secret:prod-db-credentials-vXXXXC:username::"
    }]
  }]
}

For more information, you can refer to https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data-secrets.html#secrets-envvar

Terraform AWS secret manager valueFrom syntax

1 Answers1