Fargate task secrets retrieval issue: Invalid name in DescribeSecret operation

robertE · January 2, 2024, 1:06am

Hello all!

I have a fargate task that’s getting passed some fields from secrets as environment variables and this is the resulting secrets object in the task definition:

                {
                    "name": "MYSQL_HOST",
                    "valueFrom": "arn:aws-us-gov:secretsmanager:{region}:secret:{secret_name}:{field}::"
                },
                ...
            ],```


Which as far as I can tell is the correct methodology.

I've also given the task permissions to describe {secretname} in both the execution and task roles.

I was given the message:
`ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secret from asm: service call has been retried 1 time(s): failed to fetch secret`

and ran the `TroubleshootECSTaskFailedToStart` runbook (output inside) and it seems like the main grievance is the following:
`SecretAnalysis:AWS API Error An error occurred (ValidationException) when calling the DescribeSecret operation: Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@!`

Am I doing something obviously boneheaded? Any insight is appreciated.

robertE · January 2, 2024, 1:54am

runbook output:

STEP:02_CoreFailureReasonEvaluation
+++++++++++++++++++++++++++++++++++
GenericChecks:Checking Task networking and public IP assignment

GenericChecks:Checking Task networking and public IP assignment

GenericChecks:Checking if Image Pull Rate Limit occurred

RegistryAnalysis:Checking Security group egress rules for DNS resolved IP/s of ECR domains

RegistryAnalysis:Checking required VPC endpoints for ECR

RegistryAnalysis:Checking VPCe analysis for s3

RegistryAnalysis:Checking Security group egress rules for DNS resolved IP/s of external registry domains

LogAnalysis:Checking log configuration permission and group existence

SecretAnalysis:Checking SecretsManager credential existence and KMS settings

SecretAnalysis:AWS API Error An error occurred (ValidationException) when calling the DescribeSecret operation: Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@!

SecretAnalysis:AWS API Error An error occurred (ValidationException) when calling the DescribeSecret operation: Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@!

SecretAnalysis:AWS API Error An error occurred (ValidationException) when calling the DescribeSecret operation: Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@!

SecretAnalysis:AWS API Error An error occurred (ValidationException) when calling the DescribeSecret operation: Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@!

SecretAnalysis:AWS API Error An error occurred (ValidationException) when calling the DescribeSecret operation: Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@!

SecretAnalysis:AWS API Error An error occurred (ValidationException) when calling the DescribeSecret operation: Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@!

SecretAnalysis:AWS API Error An error occurred (ValidationException) when calling the DescribeSecret operation: Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@!```

robertE · January 2, 2024, 2:02am

Yeah. I obfuscated it with {region}. Apologies for the confusion

robertE · January 2, 2024, 2:27am

The task is defined in CDK code, and the secrets are generated with the ecs.Secret.from_secrets_manager() method. I don’t enter the arns myself.

ralphMunns · January 2, 2024, 3:21am

those extra : at the end of the valueFrom seem wrong? We aren’t grabbing specific parts of a secret, but ours look like

                {
                    "name": "database",
                    "valueFrom": "arn:aws:secretsmanager:us-west-2:123456789012:secret:prod/rds/db01-FOOBAR"
                }
            ],```

robertE · January 2, 2024, 3:37am

I’ll take a look at this when I can. As I said I’m relying on the CDK to populate these values for me

robertE · January 2, 2024, 4:25am

My secret was named blah-blah-access

Hyphens are a nono: https://stackoverflow.com/questions/57821886/aws-secrets-manager-can-t-find-the-specified-secret

robertE · January 2, 2024, 4:48am

Thanks for the help everyone

hazel · January 2, 2024, 5:13am

that seems like quite the edge case … am i hearing that a hyphen followed by six characters is what trips up the system?

robertE · January 2, 2024, 6:11am

Burned a good 12 hours of my life on that particular one