By using AWS re:Post, you agree to the Terms of Use
/AWS Secrets Manager/

Questions tagged with AWS Secrets Manager

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

How can I build a CloudFormation secret out of another secret?

I have an image I deploy to ECS that expects an environment variable called `DATABASE_URL` which contains the username and password as the userinfo part of the url (e.g. `postgres://myusername:mypassword@mydb.foo.us-east-1.rds.amazonaws.com:5432/mydbname`). I cannot change the image. Using `DatabaseInstance.Builder.credentials(fromGeneratedSecret("myusername"))`, CDK creates a secret in Secrets Manager for me that has all of this information, but not as a single value: ```json { "username":"myusername", "password":"mypassword", "engine":"postgres", "host":"mydb.foo.us-east-1.rds.amazonaws.com", "port":5432, "dbInstanceIdentifier":"live-myproduct-db" } ``` Somehow I need to synthesise that `DATABASE_URL` environment variable. I don't think I can do it in the ECS Task Definition - as far as I can tell the secret can only reference a single key in a secret. I thought I might be able to add an extra `url` key to the existing secret using references in cloud formation - but I can't see how. Something like: ```java secret.newBuilder() .addTemplatedKey( "url", "postgres://#{username}:#{password}@#{host}:#{port}/#{db}" ) .build() ``` except that I just made that up... Alternatively I could use CDK to generate a new secret in either Secrets Manager or Systems Manager - but again I want to specify it as a template so that the real secret values don't get materialised in the CloudFormation template. Any thoughts? I'm hoping I'm just missing some way to use the API to build compound secrets...
3
answers
0
votes
14
views
asked 10 days ago

Cannot access Secrets Manager from Lightsail

I have a Lightsail instance with a very small Python script for testing. The script looks like: ``` import boto3 import json region_name = "us-east-1" secret_name = "arn:aws:secretsmanager:us-east-1:XXXXXX:XXXX" client = boto3.client(service_name='secretsmanager',region_name=region_name) response = client.get_secret_value(SecretId=secret_name) secrets1 = json.loads(response['SecretString']) print(secrets1['Password']) ``` When I run the above code, I get the following error: ``` An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::XXXXXXXX:assumed-role/AmazonLightsailInstanceRole/XXXXXXX is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:XXXXXXXX:secret:XXXXXX because no resource-based policy allows the secretsmanager:GetSecretValue action ``` I have tried: * creating a Lightsail role in IAM with "SecretsManagerReadWrite" policy attached. One problem with this approach is that I didn't see a Lightsail option when selecting an AWS Service, so I selected ec2. * running the code as root user * creating another IAM user with proper permissions (full access to Lightsail and SecretsManagerReadWrite) * scouring several forums looking for answers. I find some cases that are similar to mine, but haven't found a solution I can use fully (although I have used bits and pieces with no luck). None of the above worked (although I can't guarantee I put all the pieces together correctly). So my question is: How can I access a secret in my Secrets Manager service and use it in my Python code in Lightsail? This is all done within a single AWS account. I am very new to the AWS framework and am admittedly confused by the IAM roles and users and how I provision permission for a Lightsail instance to access Secrets Manager. Thanks for any help.
1
answers
0
votes
6
views
asked 14 days ago
1
answers
0
votes
8
views
asked 16 days ago

AWS::CodePipeline::Pipeline Action configuration field 1000 character limit

Setting up a codebuild action inside codepipeline via a CF template (the AWS::CodePipeline::Pipeline resource), I keep running into a very limiting factor where the configuration fields are all limited to 1000 characters (see: https://docs.aws.amazon.com/codepipeline/latest/userguide/limits.html: ``` Maximum length of the action configuration value (for example, the value of the RepositoryName configuration in the CodeCommit action configuration should be less than 1000 characters: "RepositoryName": "my-repo-name-less-than-1000-characters") ``` This limit is enough for most configuration fields, but when configuring a `CodeBuild` action, the `EnvironmentVariables` field [expects a JSON string](https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html#cfn-codepipeline-pipeline-stages-actions-configuration). This JSON string can very fast reach 1000 characters, with even as little as 10 environmental variables, especially if those variables are extracted from `SECRETS_MANAGER`. For example, declaring just one variable like this: ``` {"name":"MYSERVICE_VARIABLE","value":"aws:secretsmanager:ap-northeast-1:123458087:secret:my-secret-staging-name:password","type":"SECRETS_MANAGER"} ``` Will on its own be 148 characters. If the pipeline requires just 5 of these secrets and maybe 2-3 more short ones, the limit will be reached and deployment of the pipeline will fail. I was wondering if there is any chance this limit can get reviewed once more and maybe increased to, say, 1mb json string? Failing to do so will render this feature useful only in the simplest of use-cases... Regards, Julian.
2
answers
0
votes
1
views
asked 3 months ago

aws-elasticbeanstalk-ec2-role aws-elasticbeanstalk-ec2-role is not authorized to perform: secretsmanager:GetSecretValue although the default role is updated to include policy

There is an EC2 instance attempting to get a secret from SecretsManager but errors with the following: ``` Error getting database credentials from Secrets Manager AccessDeniedException: User: arn:aws:sts::{AccountNumber}:assumed-role/aws-elasticbeanstalk-ec2-role/i-{instanceID} is not authorized to perform: secretsmanager:GetSecretValue on resource: rds/staging/secretName because no identity-based policy allows the secretsmanager:GetSecretValue action ``` I have tried adding the following policy to the general aws-elasticbeanstalk-ec2-role to allow for access but it is still not able to get the secrets: GetSecretsPolicy: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ], "Resource": "arn:aws:secretsmanager:*:{AccountNumber}:secret:rds/production/secretName" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "secretsmanager:GetRandomPassword", "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ], "Resource": "arn:aws:secretsmanager:*:{AccountNumber}:secret:rds/staging/secretName" } ] } ``` I continue to get the error and am wondering if there is something I can tweak to make it able to have proper access to the secret values
3
answers
0
votes
319
views
asked 4 months ago

Unable to retrieve a stored AWS Secretss API keys and parameters

Hi Everyone, I am new to lamda Function. I have stored my API Key and other parameters for an rest endpoint as key pair values as a secret in AWS Secret Manager. While I need to retreive the key and other parameters to construct the end point, I am unable to even print it. I have added my code below written in Python. The response is coming null along with no error and no information in logs. import boto3 import base64 from botocore.exceptions import ClientError import json def get_secret(): secret_name = "aXXXXXXXXXXXXXXXXXXXXXXX2cFVdm" region_name = "apXXXXXXX1" session = boto3.session.Session() client = session.client( service_name='secretsmanager', region_name=region_name ) # In this sample we only handle the specific exceptions for the 'GetSecretValue' API. # See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html # We rethrow the exception by default. get_secret_value_response="" try: get_secret_value_response = client.get_secret_value( SecretId=secret_name ) except ClientError as e: if e.response['Error']['Code'] == 'DecryptionFailureException': # Secrets Manager can't decrypt the protected secret text using the provided KMS key. # Deal with the exception here, and/or rethrow at your discretion. raise e elif e.response['Error']['Code'] == 'InternalServiceErrorException': # An error occurred on the server side. # Deal with the exception here, and/or rethrow at your discretion. raise e elif e.response['Error']['Code'] == 'InvalidParameterException': # You provided an invalid value for a parameter. # Deal with the exception here, and/or rethrow at your discretion. raise e elif e.response['Error']['Code'] == 'InvalidRequestException': # You provided a parameter value that is not valid for the current state of the resource. # Deal with the exception here, and/or rethrow at your discretion. raise e elif e.response['Error']['Code'] == 'ResourceNotFoundException': # We can't find the resource that you asked for. # Deal with the exception here, and/or rethrow at your discretion. raise e else: # Decrypts secret using the associated KMS key. # Depending on whether the secret is a string or binary, one of these fields will be populated. if 'SecretString' in get_secret_value_response: secret = get_secret_value_response['SecretString'] else: decoded_binary_secret = base64.b64decode(get_secret_value_response['SecretBinary']) # Your code goes here. return get_secret_value_response def lambda_handler(event, context): ms=get_secret(); print(ms)
3
answers
0
votes
28
views
asked 4 months ago
1
answers
1
votes
8
views
asked 5 months ago
  • 1
  • 90 / page