Questions tagged with AWS Secrets Manager

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

AWS::CodePipeline::Pipeline Action configuration field 1000 character limit

Setting up a codebuild action inside codepipeline via a CF template (the AWS::CodePipeline::Pipeline resource), I keep running into a very limiting factor where the configuration fields are all limited to 1000 characters (see: https://docs.aws.amazon.com/codepipeline/latest/userguide/limits.html: ``` Maximum length of the action configuration value (for example, the value of the RepositoryName configuration in the CodeCommit action configuration should be less than 1000 characters: "RepositoryName": "my-repo-name-less-than-1000-characters") ``` This limit is enough for most configuration fields, but when configuring a `CodeBuild` action, the `EnvironmentVariables` field [expects a JSON string](https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-codepipeline-pipeline-stages-actions.html#cfn-codepipeline-pipeline-stages-actions-configuration). This JSON string can very fast reach 1000 characters, with even as little as 10 environmental variables, especially if those variables are extracted from `SECRETS_MANAGER`. For example, declaring just one variable like this: ``` {"name":"MYSERVICE_VARIABLE","value":"aws:secretsmanager:ap-northeast-1:123458087:secret:my-secret-staging-name:password","type":"SECRETS_MANAGER"} ``` Will on its own be 148 characters. If the pipeline requires just 5 of these secrets and maybe 2-3 more short ones, the limit will be reached and deployment of the pipeline will fail. I was wondering if there is any chance this limit can get reviewed once more and maybe increased to, say, 1mb json string? Failing to do so will render this feature useful only in the simplest of use-cases... Regards, Julian.
2
answers
0
votes
152
views
asked 9 months ago

aws-elasticbeanstalk-ec2-role aws-elasticbeanstalk-ec2-role is not authorized to perform: secretsmanager:GetSecretValue although the default role is updated to include policy

There is an EC2 instance attempting to get a secret from SecretsManager but errors with the following: ``` Error getting database credentials from Secrets Manager AccessDeniedException: User: arn:aws:sts::{AccountNumber}:assumed-role/aws-elasticbeanstalk-ec2-role/i-{instanceID} is not authorized to perform: secretsmanager:GetSecretValue on resource: rds/staging/secretName because no identity-based policy allows the secretsmanager:GetSecretValue action ``` I have tried adding the following policy to the general aws-elasticbeanstalk-ec2-role to allow for access but it is still not able to get the secrets: GetSecretsPolicy: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ], "Resource": "arn:aws:secretsmanager:*:{AccountNumber}:secret:rds/production/secretName" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "secretsmanager:GetRandomPassword", "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ], "Resource": "arn:aws:secretsmanager:*:{AccountNumber}:secret:rds/staging/secretName" } ] } ``` I continue to get the error and am wondering if there is something I can tweak to make it able to have proper access to the secret values
3
answers
0
votes
4554
views
asked a year ago