0

I have the following piece of code:

Secret.from_secret_complete_arn(
    scope=self._scope,
    id="some-id",
    secret_complete_arn="some-arn-ending-with-6-letters"
)

The secret is then processed and passed to ApplicationLoadBalancedTaskImageOptions's secrets param. Using cdk deploy works just fine.

However, using this code:

Secret.from_secret_name_v2(
    scope=self._scope,
    id="some-id",
    secret_name="some-name-of-the-secret"
)

results in the deployment hanging. I don't really understand why is AWS fine with me getting the secret by complete ARN, but doesn't allow getting the secret by name. If the deploying body has enough permissions to fetch the secret by ARN, why can't it use a name shortcut? Shouldn't it figure out the ARN by itself rather than using the -?????? wildcard?

The answer here suggests granting additional policies in resource permissions themselves, but why is that necessary? Can I instead somehow notify my CDK code to do it for me automatically? Maybe something with the Role construct like below, or with the secret itself?

role = Role(self._scope, "some-role-id", assumed_by=AccountRootPrincipal())
env_secret.grant_read(role)

Update:

Using higher verbosity with the debug flag enabled on the deploy command yields:

my-stack | 2/5 | 09:01:55 | UPDATE_COMPLETE      | AWS::IAM::Policy                            | my-server/TaskDef/ExecutionRole/DefaultPolicy (myserverTaskDefExecutionRoleDefaultPolicy5A37A9F2) 
[AWS cloudformation 200 0.878s 0 retries] describeStacks({ StackName: 'my-stack' })
Stack my-stack has an ongoing operation in progress and is not stable (UPDATE_IN_PROGRESS)
[AWS cloudformation 200 1.452s 0 retries] describeStackEvents({ StackName: 'my-stack', NextToken: undefined })
[AWS cloudformation 200 0.872s 0 retries] describeStacks({ StackName: 'my-stack' })
Stack my-stack has an ongoing operation in progress and is not stable (UPDATE_IN_PROGRESS)
[AWS cloudformation 200 1.462s 0 retries] describeStackEvents({ StackName: 'my-stack', NextToken: undefined })
(...)

then it just keeps going forever. There is nothing interesting I can see in the CloudFormation status itself (stack is UPDATE_IN_PROGRESS but all resources are COMPLETE), nor in the cloud logs. It might be interesting to know that indeed the CDK asks to approve a change when using the secret name instead of ARN:

  • resource using ARN: arn:...:secret:my-server-env-secret-NLmjQM
  • resource using name: arn:...:secret:my-server-env-secret-??????

It's also interesting that in the ARN deployment the ... part above was using the directly referenced, actual region and account values, whereas the deployment using secret name used an indirect reference:

arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:my-server-env-secret-??????

Perhaps I can somehow check that these variables are resolved to the same values as the ARN secret?

The code which adds the secret (aws_cdk.aws_ecs.Secret) to the container is:

env_secrets = {
    field: Secret.from_secrets_manager(
        secret=env_secret,
        field=field
    ) for field in [
        "DJANGO_SECRET_KEY",
        ...
    ]
}

I use the above because of how I've structured the secret's values. The variable is then unpacked and passed into the secrets (param) dictionary:

secrets = {
   ...some_other_secrets,
   **env_secrets
}

Works without issues with the ARN version of the secret.

There are no policies that I can see in the related task execution role, in the AWS management console.

Kacperito
  • 1,277
  • 1
  • 10
  • 27
  • What do you mean by "hanging" Which step does it hang on? Does the deployment eventually time out? – gshpychka Sep 21 '22 at 11:31
  • Yes @gshpychka, the deployment times out due to the circuit breaker. With it disabled I waited like 20 minutes with the deployment being stuck on the ECS service being updated (eventually just terminated the process myself and did a manually triggered rollback). – Kacperito Sep 21 '22 at 11:40
  • Check the ECS events while it's updating/creating the service - what kind of error is it? Is it thrown by the container, or is it due to the task execution role not being able to fetch the secret? – gshpychka Sep 21 '22 at 12:04
  • are you sure your secretst_name matches the secret name stored? – Jatin Mehrotra Sep 21 '22 at 14:34
  • @JatinMehrotra Yes – Kacperito Sep 21 '22 at 14:45
  • This should work fine, unless the full ARN you're providing points to a different account/region than the one you're deploying the stack to. Is that the case? – gshpychka Sep 21 '22 at 19:39
  • @gshpychka It's all in the same account, which is why I'm confused, it should all work like a charm. I will try to provide more debug data today or maybe tomorrow. – Kacperito Sep 22 '22 at 12:59
  • Could be a different region. – gshpychka Sep 22 '22 at 13:45
  • @gshpychka It's not. – Kacperito Sep 22 '22 at 15:04
  • Add the code where you're passing the secret to your ECS container, and also the relevant part of the ECS task execution role that contains the secret permissions. – gshpychka Sep 23 '22 at 08:56
  • @gshpychka Updated, thank you for your patience. – Kacperito Sep 26 '22 at 07:33

0 Answers0