hyorimitsu
commented
1 day ago If there are no objections, I'd like to work on fixing this issue.
Open hyorimitsu opened 1 day ago
hyorimitsu
commented
1 day ago If there are no objections, I'd like to work on fixing this issue.
Overview
When using
ecs-task-runner, specifying an environment variable with an AWS Secrets Manager ARN in the format:does not treat the value as a
secrets. Instead, the ARN is passed directly to the container as a plain environment variable.Expected Behavior
When passing a Secrets Manager ARN as an environment variable, it is treated as a
secrets.Actual Behavior
When passing a Secrets Manager ARN as an environment variable, it is NOT treated as a
secrets.Possible Cause
In the code section here, environment variables matching the Secrets Manager ARN format are not recognized and processed as
secrets. They are treated as regular environment variables and passed directly to the container.Additional Context
Retrieving Specific JSON Keys
AWS Secrets Manager allows storing secrets as JSON objects. While AWS provides a reserved path (
/aws/reference/secretsmanager/<secret_id>) to reference secrets via the Parameter Store, this method does not support retrieving specific JSON key values directly.Naming Convention Conflicts
The naming conventions for Parameter Store and Secrets Manager differ. Secrets Manager allows characters in secret names that are invalid in Parameter Store parameter names.
For example, when integrating RDS with Secrets Manager using
manage-master-user-passwordoption, the secret name generated is in the formatrds!db-<uuid>. The exclamation mark!is invalid in Parameter Store names, leading to the following error when attempting to reference the secret in the Task Definition: