Search code examples
amazon-web-servicesamazon-ecsaws-cdkaws-secrets-manager

AWS CDK - Possible to access individual (JSON) value within a Secrets Manager secret when specifying secrets for a container?

I'm trying to put together a relatively simple stack on AWS CDK that involves an ApplicationLoadBalancedFargateService from aws-ecs-patterns.

My problem involves secrets. I have a secret in Secrets Manager that has several key/values (I think technically it's stored as a JSON doc, but AWS provides a key/val interface), and I need to pass them to my containers individually. I do this currently in an equivalent non-cdk (made in the console) stack by simply specifying the key, like this: arn:aws:secretsmanager:us-west-2:[acct]:secret/name-??????:KEY::, where `KEY is the secret key, and the correct value is inserted into the container as an env var.

When I try to do that with CDK, I get an error when I cdk synth:

`secretCompleteArn` does not appear to be complete; missing 6-character suffix

If I remove the last bit (:KEY::), it successfully synths, but my container isn't actually getting what I want.

This is how I'm trying to use it in my cdk (typescript) code:

new ApplicationLoadBalancedFargateService(this, 'Service', {
  ...
  taskImageOptions: {
    image: containerImage, // defined elsewhere
    ...
    secrets: {
      'DB_DATABASE': ecs.Secret.fromSecretsManager(
        Secret.fromSecretCompleteArn(this, 'secret-DB_DATABASE', 
         'arn:aws:secretsmanager:us-west-2:[acct]:secret:secret/name-??????:KEY::')),

      //there's really a few more, pulling keys from the same secret.  Omitting for brevity
    },
  },   
});

Is there a way to to make this work? Or do I need to change the way I store/use my secrets?

Solution

  • This is how you pass a specific key as environment variable to your container:

    const mySecret = secretsmanager.Secret.fromSecretCompleteArn('<your arn>');

taskDefinition.addContainer('MyContainer', {
  // ... other props ...
  secrets: {
    SECRET_KEY: ecs.Secret.fromSecretsManager(mySecret, 'specificKey'),
  },
});

    or with the ApplicationLoadBalancedFargateService:

    new ApplicationLoadBalancedFargateService(this, 'Service', {
  ...
  taskImageOptions: {
    image: containerImage, // defined elsewhere
    ...
    secrets: {
      'DB_DATABASE': ecs.Secret.fromSecretsManager(mySecret, 'specificKey'),
    },
  },   
});