Questions tagged with AWS Secrets Manager
Content language: English
Sort by most recent
I am trying to create new connection for a new api destination for an EventBridge rule. The api destination is to a service hosted in AWS. I am trying to setup Oauth Client Credentials. I am trying to re-use credentials that are in the AWS Secrets Manager.
I keep getting the following error:
Invalid target fields. Complete all required fields for the new connection correctly.
I am not being told what field is incorrect. Is there a way to know which connection field is wrong? Is trying to re-use credentials in the secrets manager possible?
Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to retrieve secret. Unable to find Secrets Manager secret, Application-Detailed-Message: Unable to find AWS Secrets Manager secret Arn 'arn:aws:secretsmanager:<region>:<account>:secret:XXXXXXX' The secrets_manager get secret value failed: curlCode: 7, Couldn't connect to server Too many retries: curlCode: 7, Couldn't connect to server
Hi, I'm doing a DMS Endpoint connection test between Priavate VPCs.
I'm fighting the above error.
I set it up as below.
* VPC1: Replication instance
* VPC2 : Mysql RDS (admin password with secret manager)
* The VPC is on the same account.
I also created a **SecretManager VPC Endpoint on VPC1,**
and the IAM Role connected to the DMS endpoint...
This role has the following policy:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": [
"arn:aws:secretsmanager:<region>:<account>:secret:XXXXXXX",
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:<region>:<account>:key/*"
}
]
}
```
Here is the role trust policy:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"dms.amazonaws.com",
"dms.<region>.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
but the connection is not possible.
If I test the endpoint connection without using SecretManager with the same user password value, it will connect well.
What's the problem? Please help me.
Most AWS services are metered as multiple dimensions yet in Cost Explorer I can only see a single $ value which represents the service charge. For example. Secrets manager is priced as a combination of $0.40 per secret per month + $0.05 per 10,000 API calls.
If my monthly charge is $15/month, how can I see a detailed breakdown of the billed API calls that have been charged?
Thanks!
For a MySQL database, I turned on "Manage master credentials" in AWS console. I decided to use a "master password" instead. When I uncheck the ManageMasterUserPassword and assign a "master password", AWS console gives me an error , "You can't specify MasterUserPassword for an instance with ManageMasterUserPassword enabled."
## Issue
We have an Aurora PostgreSQL version 14.5 RDS cluster. We have a secret in SecretsManager with credentials for a user we want to rotate the password for. When rotating the secret, the Lambda gets stuck at the `setSecret` step with the error `Unable to log into database with previous, current, or pending secret`. We have determined that this relates to the `password_encryption` option in the cluster parameter group. If we set it to `md5` (whereas the default is, I believe, `scram-sha-256`) the rotation will work again _after_ we update it manually. We can then rotate it as many times as we want.
### Question
How can we get the secret rotation to work while using the default cluster parameter group for an Aurora PostgreSQL cluster?
### To reproduce
1. Have a secret [formatted as expected](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_secret_json_structure.html#reference_secret_json_structure_rds-postgres).
2. Have a Lambda running the [python code provided by AWS](https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas/blob/master/SecretsManagerRDSPostgreSQLRotationSingleUser/lambda_function.py).
3. Have a version 14.5 Aurora PostgreSQL cluster using the `default.aurora-postgresql14` cluster parameter group.
4. Click the "Rotate secret immediately" button in the console
5. In Lambda logs, see the error `setSecret: Unable to log into database with previous, current, or pending secret of secret arn arn:aws:secretsmanager:....`
### How to Recover
1. Create a new cluster parameter group that is a copy of `default.aurora-postgresql14`
2. Change the `password_encryption` to be `md5`
3. Apply this new parameter group to the cluster
3. Cancel the secret rotation: `aws secretsmanager cancel-rotate-secret --secret-id ....`
4. Manually change the password on the user to a new one
5. Update the secret with the new password
6. click the "Rotate secret immediately" button in the console
I am manually uploading the aws credentials file which contains access key , secret key, session token and many more. I am trying to fetch the secret values in my secret manager through java code. Currently i am using GetSecretValueResponse for fetching the values and AWSCredsProvider(access key, secret key) as my credentials provider. It is expecting it to be instanceof AwsSessionCredentials( access key , secret key, session token) but this is a final class, So how can I make my java code utilize the session token that is being provided in the file that I uploaded initially?
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>secretsmanager</artifactId>
<version>2.20.22</version>
</dependency>
dependancy that i have used.
ERROR: The security token included in the request is invalid. (Service: SecretsManager, Status Code: 400, Request ID: 7b4d76ea-389f-4068-8fde-577224a67f5c)
I am using AWS EC2 instance and I can connect to it using username and key-value pair (file). But I'd need to connect (over Wordpress) to the server and it's asking me to enter a password.
How and where can I find the password which I can type in? (The only password, or better said private key, I am familiar with is in the .pem file)
Here is the screenshot: https://prnt.sc/gAdr9Y0DSaJb
Thanks!
I'm building a full stack application with Next.js framework and want to deploy it to App Runner. How ever Next.js needs to have enviromental variables (secrets) on build time, otherwise build fails. This is stated clearly on Next.js documentation. How ever it seems that in App Runner I'm only able to expose environmental variables on runtime. Is there any way to get secrets from secret manager and set env values on build time? I do not wish to have my ens on client side so NEXT_PUBLIC_ prefix is not a solution around this.
I'm using apprunner.yml config file and deploy automatically from Github repository.
Here is my apprunner.yml config file content:
version: 1.0
runtime: nodejs16
build:
commands:
build:
- yarn --production
- yarn build
run:
command: yarn start
network:
port: 3000
env:
- name: PRIMARY_DB_NAME
value: "primary"
secrets:
- name: DB_URI
value-from: "arn:here"
Aurora MySQL serverless 1 is no longer supported (for creation), yet all of the documentation is still pointing towards serverless v1. I am using MySQL serverless v2 with secrets manager and I have a python module that is able to connect to the writer endpoint alright without RDS proxy. For following the lambda function examples, I have created an RDS proxy, however I am finding a hard time finding reliable lambda code examples, especially in javascript that can successfully connect to my Aurora serverless v2. The goal is to have this connection be triggered by cognito events.
Hi there,
I am attempting to use the extension in the title following the guide mentioned [here](https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_lambda.html) and I am unfortunately hitting an issue where the extension starts and awaits requests (I can see this in the logs from setting the debug flag) although when I send the request, it times-out. I have set the timeout of the lambda to the maximum potential value with the same effect.
I have set my lambdas execution role in the following manner:
The runtime of my function is arm64 using TypeScript. My code to request my secret is as follows:
I have been trying different things all to no avail as the application still times out. Any help on what is going on here would be greatly appreciated.
Hi,
While trying to deploy the AWS Apprunner service which is a Spring boot application integrated with AWS Secret Manager, The deployment fails citing the reason :
> com.amazonaws.SdkClientException: Unable to execute HTTP request: Connect to secretsmanager.eu-west-1.amazonaws.com:443
I am using a VPC connector to enable an RDS connection for the application. Any insights on fixing this issue
would be really helpful
I have configured an MSK cluster and allowed public access through SASL/SCRAM authentication method. Now I am facing an issue where I do not have the necessary permissions when using these credentials (specified in the Secrets Manager created with a custom key). The connecting client can perform certain operations but fails to fetch or create topics, nor publish a new message to the existing topic. I am using confluent and C# and here is an example of the configuration of my client.
```
BootstrapServers = Config.KafkaBootstrapServers,
SaslMechanism = SaslMechanism.ScramSha512,
SecurityProtocol = SecurityProtocol.SaslSsl,
SaslUsername = Config.Username, // username from secrets manager
SaslPassword = Config.Password, // password from secrets manager
ClientId = Config.Client,
Acks = Acks.All
```
How can I assign higher permissions? Since it is a managed Kafka service, there is no option to modify this on the broker level. And since there is no user behind these credentials, I cannot assign a specific policy to it. What are the options here?