RokPapez
commented
1 year ago Closed akitoshi-n closed 1 year ago
RokPapez
commented
1 year ago 
akitoshi-n
commented
1 year ago Thank you for creating PR. I appreciate it.
lgothelipe-brighte
commented
1 year ago I'm having the same issue. Any ETA for this PR #191 be merged?
brivu
commented
1 year ago Hey Everyone,
I've merged PR #191 into a branch of my own and added a few tests but it still doesn't work.
Please let me know if I am misunderstanding the issue here but
if you're trying to update the value of a container's secret, it will not work because changing the value of a secret's key from a task-definition is not supported.
When you inject a secret into a container, the secret is encrypted and stored in the container's memory. The value of the secret cannot be changed after it is injected into the container.
Here's how I tested this:
I created a new secret in the AWS Secrets Manager with the key of FAKE_KEY and a value of Fakeapikey and generated this arn: arn:aws:secretsmanager:us-west-2:122211685980:secret:ORBS_ECS_TEST_SECRET-Tm4qkC
I created a second secret using a different secret name but with the same key called FAKE_KEY. The value is Fakeapikey2 and the arn was: arn:aws:secretsmanager:us-west-2:122211685980:secret:ORBS_ECS_TEST_SECRET_2-5lqdB1
In my test, I this ran this command first:
- aws-ecs/update_service:
family: ""ecs-fg-1-service""
service_name: "ecs-fg-1-service"
cluster: "ecs-fg-1-cluster"
container_image_name_updates: "container=ecs-fg-1--service,image-and-tag=$FULL_IMAGE_NAME"
container_env_var_updates: 'container="ecs-fg-1-service,name=VERSION_INFO,value="${CIRCLE_SHA1}_${CIRCLE_BUILD_NUM}",container=ecs-fg-1-service,name=BUILD_DATE,value=$(date)'
container_secret_updates: container=ecs-fg-1-service,name=FAKE_KEY,valueFrom=arn:aws:secretsmanager:us-west-2:122211685980:secret:ORBS_ECS_TEST_SECRET-Tm4qkC
verify_revision_is_deployed: true
fail_on_verification_timeout: falseNext, I ran the aws-ecs/deploy_service_update job and updated the container_secret_updates to use the same key but changed the valueFrom value to the second secret's arn to update the value of the secret:
- aws-ecs/deploy_service_update:
auth:
- aws-cli/setup:
role_arn: "arn:aws:iam::122211685980:role/CPE_ECS_OIDC_TEST"
profile_name: "ECS_TEST_PROFILE"
family: "ecs-fg-1-service"
cluster: "ecs-fg-1-cluster"
container_env_var_updates: 'container=ecs-fg1-service,name=VERSION_INFO,value="${CIRCLE_SHA1}_${CIRCLE_BUILD_NUM}",container=ecs-fg-1-service,name=BUILD_DATE,value=$(date)'
container_secret_updates: container=ecs-fg-1-service,name=FAKE_KEY,valueFrom="arn:aws:secretsmanager:us-west-2:122211685980:secret:ORBS_ECS_TEST_SECRET_2-5lqdB1"update_service command works. However, running the aws-ecs/deploy_service_update fails when trying to update FAKE_KEY with the value stored in the second arn. I receive the same error: An error occurred (ClientException) when calling the RegisterTaskDefinition operation: Duplicate secret names found: FAKE_KEY. Each secret name must be unique.@RokPapez, I tried testing the changes to your python script but it doesn't resolve this issue. Can you please elaborate on the issue you're trying to solve with your script? It would be helpful if you were able to show me the task-definition with the old script before your changes and the definition after your changes.
I am going to close this issue for now but please feel free to reopen if there are more details I am missing. Thanks!
Orb version
3.2.0
What happened:
I tried to update an existing secret variable set in the task definition using the container-secret-updates parameter.
Then the pipeline fails at the step
Register new task definitionwith the following error.Expected behavior:
Secret variables in task definition can be updated by specifying them in the container-secret-updates parameter.
Additional Information: