I'm using AWS Fargate and storing sensitive data with Secrets Manager. Task definition should get environment variables from secrets store
- name: "app" image: "ecr-image:tag" essential: true secrets: - name: "VAR1" valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-one-secret" - name: "VAR2" valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-two-secret" - name: "VAR3" valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-two-private"but for some reason it fails with the error below
ResourceNotFoundException: Secrets Manager can’t find the specified secret. status code: 400, request idIt seems a bit strange to me because
IAM has permissions for get secret value, moreover
when leaving only
VAR1variable everything works as expectedAWS CLI is able to retrieve each secret without any issue
e.g.
aws secretsmanager get-secret-value --secret-id var-two-secretWhat might be wrong with my configuration? Any hints appreciated
3 Answers
ok, so the trick was to specify ARN explicitly. Instead of just providing secret name you should use full identifier
arn:aws:secretsmanager:us-east-1:111222333444:secret:var-two-secret-ID0o2RNote -ID0o2R suffix at the end of secret name.
It's still not clear for me why for some variables it works without it.
UPD
However, if your secret has a name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six characters to the ARN) and you try to use that as a partial ARN, then those characters cause Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected results.
So as you can see from my variable name containing a hyphen Secrets Manager had hard times when resolving it by short name
4Secrets Manager tries to do partial ARN matching when you do not specify the GUID on the end of the ARN. However, it is imperfect because partial ARNs could collide. If you are fetching secrets within the same account, you can just use the secret name (the part after secret: and excluding the dash 6 character -GUID) instead of the full ARN. But using the full ARN, when you have it, is always best.
Another potential cause of this error is that the secret isn’t set; the secret name might exist, but not have a value. See for steps on setting a value.
