How to specify "version id" of a secret in ECS task definition?

0

Hello,

Is there some way how to define which exact secret version should a ECS task definition use? Something like <secret-arn>:<secret-version-id>. Is something like this possible?

I'm using this shell code to update a secret with a new version:

        # Push the secret to AWS Secrets Manager
        SECRET_VERSION_ID=$(aws secretsmanager update-secret \
          --secret-id "${{ inputs.env_secret_name }}" \
          --secret-string file://.env.json \
          --query 'VersionId' \
          --output text)

        echo "Updated secret version ID: $SECRET_VERSION_ID"

        # Retrieve the secret's ARN
        SECRET_ARN=$(aws secretsmanager describe-secret \
          --secret-id "${{ inputs.env_secret_name }}" \
          --query 'ARN' \
          --output text)

        echo "Secret ARN: $SECRET_ARN"

        # Combine the ARN with the VersionId
        SECRET_VALUE_FROM="${SECRET_ARN}:${SECRET_VERSION_ID}"

        echo "Secret ARN + version: $SECRET_VALUE_FROM"

Now I have the "SECRET_VALUE_FROM" variable which combines the ARN and version id, but sadly this is not a valid ARN. Is there some way how to do this? I would like to set this ARN + version id as the secret source in the ECS task definition.

Something like this:

        # Fetch the current task definition
        TASK_DEFINITION=$(aws ecs describe-task-definition --task-definition "$ECS_TASK_NAME" --query taskDefinition)

        # Modify the task definition JSON
        NEW_TASK_DEFINITION=$(echo "$TASK_DEFINITION" | jq --arg IMAGE "$IMAGE_URL" --arg SECRET_FROM "$SECRET_VALUE_FROM" '
          .containerDefinitions[0].image = $IMAGE |
          .containerDefinitions[0].secrets[0].valueFrom = $SECRET_FROM |
          del(.taskDefinitionArn, .revision, .status, .requiresAttributes, .compatibilities, .registeredAt, .registeredBy)
        ')

When I try this, I get the following error:

ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secret from asm: service call has been retried 1 time(s): secrets manager: failed to retrieve secret from arn:aws:secretsmanager:eu-west-3:034362029985:secret:backend-production-V7NM2U:9434f4dd-912e-4d47-a88d-7dabbfa3e997: unexpected ARN format with parameters when trying to retrieve ASM secret

Thank you for any help.

1 Antwort
1

Hello.

If you want to include the version of SecretsManager in the ECS task definition, you need to register it in the following format.
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/secrets-envvar-secrets-manager.html#secrets-envvar-secrets-manager-update-container-definition

arn:aws:secretsmanager:region:aws_account_id:secret:secret-name:json-key:version-stage:version-id
profile picture
EXPERTE
beantwortet vor 4 Monaten
profile picture
EXPERTE
überprüft vor 4 Monaten
profile pictureAWS
EXPERTE
überprüft vor 4 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen