Failed to decrypt secret due to failed to retrieve decrypted secret

[fagiani]

Summary

It throws an error when trying to run ecs-cli local up with a Task Definition that retrieves data from AWS Secrets Manager

Description

• Which specific command was run?

  ecs-cli local create --task-def-remote my-task-definition --output docker-compose.ecs-local.yml --force
  ecs-cli local up

• Which version of the CLI you are using? (Run: ecs-cli --version) ecs-cli version 1.21.0 (bb0b8f0)

• Which version of Go are you using? (Run: go version) Command go not found

• What platform are you using to run ECS CLI commands? (E.g. Linux, macOS, Windows) Linux version 5.4.0-1029-aws (buildd@lcy01-amd64-022) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #30-Ubuntu SMP Tue Oct 20 10:06:38 UTC 2020

Config files

• docker-compose.yml

  version: "3.4"
  services:
  my-service:
  entrypoint:
  - web
  environment:
    MY_FIRST_ENV: ${my-first-env-label_MY_FIRST_ENV}
    MY_SECOND_ENV: ${my-second-env-label_MY_SECOND_ENV}
  image: *****.dkr.ecr.us-east-1.amazonaws.com/my-docker-image:latest
  labels:
    ecs-local.secret.MY_FIRST_ENV: 'arn:aws:secretsmanager:us-east-1:*****:secret:my-namespace/my-app-*****:MY_FIRST_ENV::'
    ecs-local.secret.MY_SECOND_ENV: 'arn:aws:secretsmanager:us-east-1:*****:secret:my-namespace/my-app-*****:MY_SECOND_ENV::'
    ecs-local.task-definition-input.type: remote
    ecs-local.task-definition-input.value: my-local-task-definition
  logging:
    driver: awslogs
    options:
      awslogs-group: ecs/my-app-log-group
      awslogs-region: us-east-1
      awslogs-stream-prefix: ecs
  networks:
    ecs-local-network: null
  ports:
  - target: 3000
    published: 3000
    protocol: tcp
  networks:
  ecs-local-network:
  external: true

• ecs-params.yml N/A

• ~/.ecs/config

  version: v1
  default: default
  clusters:
  default:
  cluster: my-cluster
  region: us-east-1
  default_launch_type: ""

  Expected Behavior

  Execute the docker-compose and have a container running

Observed Behavior

+ ecs-cli configure --region us-east-1 --cluster my-cluster
INFO[0000] Saved ECS CLI cluster configuration default.
+ ecs-cli local create --task-def-remote my-taskdefinition --output docker-compose.ecs-local.yml --force
INFO[0000] Reading task definition from my-taskdefinition:16

INFO[0000] Task Definition network mode is ignored when running containers locally. Tasks will be run in the ecs-local-network.  networkMode=awsvpc
WARN[0000] awslogs log driver is ignored when running locally. Tasks will default to json-file instead. This can be changed in your compose override file.
INFO[0000] Successfully wrote docker-compose.ecs-local.yml
INFO[0000] Successfully wrote docker-compose.ecs-local.override.yml
+ ecs-cli local up
INFO[0000] The network ecs-local-network already exists
INFO[0000] The amazon-ecs-local-container-endpoints container already exists with ID a06557edbe0667a01a0be4a9e7269999d2cbe902c6a7894e09a11ef6eb308fb6
INFO[0000] Started container with ID a06557edbe0667a01a0be4a9e7269999d2cbe902c6a7894e09a11ef6eb308fb6
FATA[0000] Failed to decrypt secret due to
failed to retrieve decrypted secret from arn:aws:secretsmanager:us-east-1:*****:secret:my-namespace/my-app-*****:MY_FIRST_ENV:: due to ValidationException:Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@!
        status code: 400, request id: 74d64845-e54b-4ab5-a007-119dafe8edb4: ValidationException: Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@!
        status code: 400, request id: 74d64845-e54b-4ab5-a007-119dafe8edb4

I was unable to find where the invalid characters are. One of my hypothesis would be that somehow a required permission is not being given to the IAM role and therefore it is unable to retrieve the value and fails validation but if that is the case I am not sure which one it should be and I've tried to allow all Secrets Manager's permissions without success.

If I hardcode label values, then it works but not with Secrets Manager.

Am I missing anything obvious here? Any clues on this are highly appreciated!

[gshpychka]

@efekarakus I am facing the same issue. I'm trying to retrieve a specific JSON key from a secret and it fails.

[gshpychka]

After looking through the source code it seems like it cannot handle references to a specific field in a secret, it can only fetch the whole secret value.