AWS Secrets Manager can’t find the specified secret

Most Wanted picture Most Wanted · Sep 6, 2019 · Viewed 10.3k times · Source

I'm using AWS Fargate and storing sensitive data with Secrets Manager. Task definition should get environment variables from secrets store

- name: "app"
  image: "ecr-image:tag"
  essential: true
  secrets:
    - name: "VAR1"
      valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-one-secret"
    - name: "VAR2"
      valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-two-secret"
    - name: "VAR3"
      valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-two-private"

but for some reason it fails with the error below

ResourceNotFoundException: Secrets Manager can’t find the specified secret. status code: 400, request id

It seems a bit strange to me because

  • IAM has permissions for get secret value, moreover

  • when leaving only VAR1 variable everything works as expected

  • AWS CLI is able to retrieve each secret without any issue

e.g.

aws secretsmanager get-secret-value --secret-id var-two-secret

What might be wrong with my configuration? Any hints appreciated

Answer

Most Wanted picture Most Wanted · Sep 6, 2019

ok, so the trick was to specify ARN explicitly. Instead of just providing secret name you should use full identifier

arn:aws:secretsmanager:us-east-1:111222333444:secret:var-two-secret-ID0o2R

Note -ID0o2R suffix at the end of secret name.

It's still not clear for me why for some variables it works without it.

UPD

However, if your secret has a name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six characters to the ARN) and you try to use that as a partial ARN, then those characters cause Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected results.

So as you can see from my variable name containing a hyphen Secrets Manager had hard times when resolving it by short name