Hello,
Is there some way how to define which exact secret version should a ECS task definition use? Something like <secret-arn>:<secret-version-id>. Is something like this possible?
I'm using this shell code to update a secret with a new version:
# Push the secret to AWS Secrets Manager
SECRET_VERSION_ID=$(aws secretsmanager update-secret \
--secret-id "${{ inputs.env_secret_name }}" \
--secret-string file://.env.json \
--query 'VersionId' \
--output text)
echo "Updated secret version ID: $SECRET_VERSION_ID"
# Retrieve the secret's ARN
SECRET_ARN=$(aws secretsmanager describe-secret \
--secret-id "${{ inputs.env_secret_name }}" \
--query 'ARN' \
--output text)
echo "Secret ARN: $SECRET_ARN"
# Combine the ARN with the VersionId
SECRET_VALUE_FROM="${SECRET_ARN}:${SECRET_VERSION_ID}"
echo "Secret ARN + version: $SECRET_VALUE_FROM"
Now I have the "SECRET_VALUE_FROM" variable which combines the ARN and version id, but sadly this is not a valid ARN. Is there some way how to do this? I would like to set this ARN + version id as the secret source in the ECS task definition.
Something like this:
# Fetch the current task definition
TASK_DEFINITION=$(aws ecs describe-task-definition --task-definition "$ECS_TASK_NAME" --query taskDefinition)
# Modify the task definition JSON
NEW_TASK_DEFINITION=$(echo "$TASK_DEFINITION" | jq --arg IMAGE "$IMAGE_URL" --arg SECRET_FROM "$SECRET_VALUE_FROM" '
.containerDefinitions[0].image = $IMAGE |
.containerDefinitions[0].secrets[0].valueFrom = $SECRET_FROM |
del(.taskDefinitionArn, .revision, .status, .requiresAttributes, .compatibilities, .registeredAt, .registeredBy)
')
When I try this, I get the following error:
ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secret from asm: service call has been retried 1 time(s): secrets manager: failed to retrieve secret from arn:aws:secretsmanager:eu-west-3:034362029985:secret:backend-production-V7NM2U:9434f4dd-912e-4d47-a88d-7dabbfa3e997: unexpected ARN format with parameters when trying to retrieve ASM secret
Thank you for any help.