Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to decrypt secret due to failed to retrieve decrypted secret #1121

Open
fagiani opened this issue Jan 13, 2021 · 2 comments
Open

Failed to decrypt secret due to failed to retrieve decrypted secret #1121

fagiani opened this issue Jan 13, 2021 · 2 comments

Comments

@fagiani
Copy link

fagiani commented Jan 13, 2021

Summary

It throws an error when trying to run ecs-cli local up with a Task Definition that retrieves data from AWS Secrets Manager

Description

  • Which specific command was run?
ecs-cli local create --task-def-remote my-task-definition --output docker-compose.ecs-local.yml --force
ecs-cli local up

  • Which version of the CLI you are using? (Run: ecs-cli --version)
    ecs-cli version 1.21.0 (bb0b8f0)

  • Which version of Go are you using? (Run: go version)
    Command go not found

  • What platform are you using to run ECS CLI commands? (E.g. Linux, macOS, Windows)
    Linux version 5.4.0-1029-aws (buildd@lcy01-amd64-022) (gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)) #30-Ubuntu SMP Tue Oct 20 10:06:38 UTC 2020

Config files

  • docker-compose.yml
version: "3.4"
services:
  my-service:
    entrypoint:
    - web
    environment:
      MY_FIRST_ENV: ${my-first-env-label_MY_FIRST_ENV}
      MY_SECOND_ENV: ${my-second-env-label_MY_SECOND_ENV}
    image: *****.dkr.ecr.us-east-1.amazonaws.com/my-docker-image:latest
    labels:
      ecs-local.secret.MY_FIRST_ENV: 'arn:aws:secretsmanager:us-east-1:*****:secret:my-namespace/my-app-*****:MY_FIRST_ENV::'
      ecs-local.secret.MY_SECOND_ENV: 'arn:aws:secretsmanager:us-east-1:*****:secret:my-namespace/my-app-*****:MY_SECOND_ENV::'
      ecs-local.task-definition-input.type: remote
      ecs-local.task-definition-input.value: my-local-task-definition
    logging:
      driver: awslogs
      options:
        awslogs-group: ecs/my-app-log-group
        awslogs-region: us-east-1
        awslogs-stream-prefix: ecs
    networks:
      ecs-local-network: null
    ports:
    - target: 3000
      published: 3000
      protocol: tcp
networks:
  ecs-local-network:
    external: true

  • ecs-params.yml
    N/A

  • ~/.ecs/config

version: v1
default: default
clusters:
  default:
    cluster: my-cluster
    region: us-east-1
    default_launch_type: ""

Expected Behavior

Execute the docker-compose and have a container running

Observed Behavior

+ ecs-cli configure --region us-east-1 --cluster my-cluster
INFO[0000] Saved ECS CLI cluster configuration default.
+ ecs-cli local create --task-def-remote my-taskdefinition --output docker-compose.ecs-local.yml --force
INFO[0000] Reading task definition from my-taskdefinition:16

INFO[0000] Task Definition network mode is ignored when running containers locally. Tasks will be run in the ecs-local-network.  networkMode=awsvpc
WARN[0000] awslogs log driver is ignored when running locally. Tasks will default to json-file instead. This can be changed in your compose override file.
INFO[0000] Successfully wrote docker-compose.ecs-local.yml
INFO[0000] Successfully wrote docker-compose.ecs-local.override.yml
+ ecs-cli local up
INFO[0000] The network ecs-local-network already exists
INFO[0000] The amazon-ecs-local-container-endpoints container already exists with ID a06557edbe0667a01a0be4a9e7269999d2cbe902c6a7894e09a11ef6eb308fb6
INFO[0000] Started container with ID a06557edbe0667a01a0be4a9e7269999d2cbe902c6a7894e09a11ef6eb308fb6
FATA[0000] Failed to decrypt secret due to
failed to retrieve decrypted secret from arn:aws:secretsmanager:us-east-1:*****:secret:my-namespace/my-app-*****:MY_FIRST_ENV:: due to ValidationException:Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@!
        status code: 400, request id: 74d64845-e54b-4ab5-a007-119dafe8edb4: ValidationException: Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@!
        status code: 400, request id: 74d64845-e54b-4ab5-a007-119dafe8edb4

I was unable to find where the invalid characters are. One of my hypothesis would be that somehow a required permission is not being given to the IAM role and therefore it is unable to retrieve the value and fails validation but if that is the case I am not sure which one it should be and I've tried to allow all Secrets Manager's permissions without success.

If I hardcode label values, then it works but not with Secrets Manager.

Am I missing anything obvious here? Any clues on this are highly appreciated!
@gshpychka
Copy link

@efekarakus I am facing the same issue. I'm trying to retrieve a specific JSON key from a secret and it fails.

@gshpychka
Copy link

After looking through the source code it seems like it cannot handle references to a specific field in a secret, it can only fetch the whole secret value.

@gshpychka gshpychka mentioned this issue Apr 7, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fagiani @gshpychka