By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How to specify "version id" of a secret in ECS task definition?

0

Hello,

Is there some way how to define which exact secret version should a ECS task definition use? Something like <secret-arn>:<secret-version-id>. Is something like this possible?

I'm using this shell code to update a secret with a new version:

        # Push the secret to AWS Secrets Manager
        SECRET_VERSION_ID=$(aws secretsmanager update-secret \
          --secret-id "${{ inputs.env_secret_name }}" \
          --secret-string file://.env.json \
          --query 'VersionId' \
          --output text)

        echo "Updated secret version ID: $SECRET_VERSION_ID"

        # Retrieve the secret's ARN
        SECRET_ARN=$(aws secretsmanager describe-secret \
          --secret-id "${{ inputs.env_secret_name }}" \
          --query 'ARN' \
          --output text)

        echo "Secret ARN: $SECRET_ARN"

        # Combine the ARN with the VersionId
        SECRET_VALUE_FROM="${SECRET_ARN}:${SECRET_VERSION_ID}"

        echo "Secret ARN + version: $SECRET_VALUE_FROM"

Now I have the "SECRET_VALUE_FROM" variable which combines the ARN and version id, but sadly this is not a valid ARN. Is there some way how to do this? I would like to set this ARN + version id as the secret source in the ECS task definition.

Something like this:

        # Fetch the current task definition
        TASK_DEFINITION=$(aws ecs describe-task-definition --task-definition "$ECS_TASK_NAME" --query taskDefinition)

        # Modify the task definition JSON
        NEW_TASK_DEFINITION=$(echo "$TASK_DEFINITION" | jq --arg IMAGE "$IMAGE_URL" --arg SECRET_FROM "$SECRET_VALUE_FROM" '
          .containerDefinitions[0].image = $IMAGE |
          .containerDefinitions[0].secrets[0].valueFrom = $SECRET_FROM |
          del(.taskDefinitionArn, .revision, .status, .requiresAttributes, .compatibilities, .registeredAt, .registeredBy)
        ')

When I try this, I get the following error:

ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secret from asm: service call has been retried 1 time(s): secrets manager: failed to retrieve secret from arn:aws:secretsmanager:eu-west-3:034362029985:secret:backend-production-V7NM2U:9434f4dd-912e-4d47-a88d-7dabbfa3e997: unexpected ARN format with parameters when trying to retrieve ASM secret

Thank you for any help.

1 Answer
1

Hello.

If you want to include the version of SecretsManager in the ECS task definition, you need to register it in the following format.
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/secrets-envvar-secrets-manager.html#secrets-envvar-secrets-manager-update-container-definition

arn:aws:secretsmanager:region:aws_account_id:secret:secret-name:json-key:version-stage:version-id
profile picture
EXPERT
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
profile pictureAWS
EXPERT
reviewed 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions