does not treat the value as a secrets. Instead, the ARN is passed directly to the container as a plain environment variable.
Expected Behavior
When passing a Secrets Manager ARN as an environment variable, it is treated as a secrets.
Actual Behavior
When passing a Secrets Manager ARN as an environment variable, it is NOT treated as a secrets.
Possible Cause
In the code section here, environment variables matching the Secrets Manager ARN format are not recognized and processed as secrets. They are treated as regular environment variables and passed directly to the container.
Additional Context
Retrieving Specific JSON Keys
AWS Secrets Manager allows storing secrets as JSON objects. While AWS provides a reserved path (/aws/reference/secretsmanager/<secret_id>) to reference secrets via the Parameter Store, this method does not support retrieving specific JSON key values directly.
Naming Convention Conflicts
The naming conventions for Parameter Store and Secrets Manager differ. Secrets Manager allows characters in secret names that are invalid in Parameter Store parameter names.
For example, when integrating RDS with Secrets Manager using manage-master-user-password option, the secret name generated is in the format rds!db-<uuid>. The exclamation mark ! is invalid in Parameter Store names, leading to the following error when attempting to reference the secret in the Task Definition:
ClientException: The Systems Manager parameter name specified for secret DB_PASSWORD is invalid. The parameter name can be up to 2048 characters and include the following letters and symbols: a-zA-Z0-9_.-,
status code: 400, request id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Overview
When using
ecs-task-runner
, specifying an environment variable with an AWS Secrets Manager ARN in the format:does not treat the value as a
secrets
. Instead, the ARN is passed directly to the container as a plain environment variable.Expected Behavior
When passing a Secrets Manager ARN as an environment variable, it is treated as a
secrets
.Actual Behavior
When passing a Secrets Manager ARN as an environment variable, it is NOT treated as a
secrets
.Possible Cause
In the code section here, environment variables matching the Secrets Manager ARN format are not recognized and processed as
secrets
. They are treated as regular environment variables and passed directly to the container.Additional Context
Retrieving Specific JSON Keys
AWS Secrets Manager allows storing secrets as JSON objects. While AWS provides a reserved path (
/aws/reference/secretsmanager/<secret_id>
) to reference secrets via the Parameter Store, this method does not support retrieving specific JSON key values directly.Naming Convention Conflicts
The naming conventions for Parameter Store and Secrets Manager differ. Secrets Manager allows characters in secret names that are invalid in Parameter Store parameter names.
For example, when integrating RDS with Secrets Manager using
manage-master-user-password
option, the secret name generated is in the formatrds!db-<uuid>
. The exclamation mark!
is invalid in Parameter Store names, leading to the following error when attempting to reference the secret in the Task Definition: