I'm using AWS Fargate and storing sensitive data with Secrets Manager. Task definition should get environment variables from secrets store
- name: "app"
image: "ecr-image:tag"
essential: true
secrets:
- name: "VAR1"
valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-one-secret"
- name: "VAR2"
valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-two-secret"
- name: "VAR3"
valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-two-private"
but for some reason it fails with the error below
ResourceNotFoundException: Secrets Manager can’t find the specified secret. status code: 400, request id
It seems a bit strange to me because
IAM has permissions for get secret value, moreover
when leaving only VAR1 variable everything works as expected
AWS CLI is able to retrieve each secret without any issue
e.g.
aws secretsmanager get-secret-value --secret-id var-two-secret
What might be wrong with my configuration? Any hints appreciated
Secrets Manager tries to do partial ARN matching when you do not specify the GUID on the end of the ARN. However, it is imperfect because partial ARNs could collide. If you are fetching secrets within the same account, you can just use the secret name (the part after secret: and excluding the dash 6 character -GUID) instead of the full ARN. But using the full ARN, when you have it, is always best.