I'm trying to run the stripe cli in an AWS ECS docker container to perform
stripe listen
When I do it in test mode it appears to work fine. I suspect that it's because you don't need an api-key for it to run.
I created a restricted API key and put it in secret manager, assigned a role, and I know that I can get secrets at run time because the other server container is getting the secrets without a problem at run time.
I have setup a task definition. I'll provide the json definition for the stripe container below:
{
"name": "stripe-cli",
"image": "stripe/stripe-cli",
"cpu": 0,
"portMappings": [],
"essential": true,
"command": [
"listen",
"--api-key",
"${STRIPE_RESTRICTED_API_KEY}",
"--forward-to",
"https://redacted.com/api/stripe/webhook"
],
"environment": [],
"mountPoints": [],
"volumesFrom": [],
"secrets": [
{
"name": "STRIPE_RESTRICTED_API_KEY",
"valueFrom": "arn:aws:secretsmanager:region:accountId:secret:secret_store_redacted:secret_name_redacted::"
}
],
"dependsOn": [
{
"containerName": "redacted",
"condition": "HEALTHY"
}
],
"readonlyRootFilesystem": true,
"logConfiguration": {
"logDriver": "awslogs",
"options": {},
"secretOptions": []
},
"healthCheck": {
"command": [
"CMD-SHELL",
"stripe version || exit 1"
],
"interval": 30,
"timeout": 5,
"retries": 3,
"startPeriod": 0
}
}
The problem is that I keep getting this error when I try to deploy the stripe cli with live mode on
"message": "For security reasons, the Stripe CLI only permits the use of restricted keys when in live mode. To generate restricted keys for use in live mode, use the stripe login command."
Am I doing something wrong? Is there another way to access the restricted API key secret from secret manager into commands?
It turns out that I didn't need to run a stripe cli container for my project. I was trying to listen to stripe events but it turns out that this is only needed locally. So I removed the cli from the deployment and my project is listening to events just fine.