Validation Exception when trying to retrieve secret value from Secrets Manager

0

How can I ensure that my IAM role can access the Secrets value stored in Secrets Manager? I am using this IAM role as an ECS Container role. My secret name is acme/prod/secret, which is encrypted with a key called acme/prod/key. Both of these ARNs are mentioned in the custom IAM policy attached to the container role. My policy also has the "secretsmanager:GetSecretValue", "kms:GenerateDataKey" and "kms:decrypt" actions allowed on the resources. The secret is a RDS DB password (no rotation).

Below is the error message from ECS:

Error opening database of Type postgresql: error connecting to PostgreSQL database: failed to connect to `host=acme-prod-use2-rds.cjawesag8d4x.us-east-2.rds.amazonaws.com user=acme_rsa_prod_db_user database=acme_rsa_prod_db`: failed SASL auth (FATAL: password authentication failed for user "acme_rsa_prod_db_user" (SQLSTATE 28P01))

I dug a bit deeper and found this from CloudWatch logs. Below is the exact error message from CloudWatch:

operation error Secrets Manager: GetSecretValue, https response error StatusCode: 400, RequestID: 03347bce-a82c-40c5-960a-7749bde30801, api error ValidationException: Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@!
2 Answers
1

Hello.

Is it possible for you to share the exact IAM policy you are using?
Is SecretsManager accessed from ECS by setting environment variables?
In that case, such an error may occur if the secret setting in the task definition is incorrect.
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/secrets-envvar-secrets-manager.html

profile picture
EXPERT
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
profile pictureAWS
EXPERT
reviewed 3 months ago
  • Im using a custom IAM policy which has the "secretsmanager:GetSecretValue", "kms:GenerateDataKey" and "kms:decrypt" actions allowed on the secret and encryption key resources. Yes, the SecretsManager secret value is accessed from ECS by setting environment variables during task creation. The json block is:

    "containerDefinitions": [ { "name": "acme-container-prod-use2-ecs", "image": "730335305079.dkr.ecr.us-east-2.amazonaws.com/acme:2024", "cpu": 0, "portMappings": [ { "name": "443", "containerPort": 443, "hostPort": 443, "protocol": "tcp", "appProtocol": "http" } ], "essential": true, "environment": [ { "name": "AWS_REGION", "value": "us-east-2" }, { "name": "DB_SECRET_NAME", "value": "acme-db-prod-use2-secret" } }]

    As per logs, the AWS_REGION value was successfully retrieved from the env variables but not the DB_SECRET_NAME.

    The logs show this: Region: us-east-2, DBSecretName: Secret name Description Last retrieved (UTC) acme-db-prod-use2-secret.

    So, its clear that the env var value is not getting fetched properly

1

Hi,

I'd suggest that you decode the secret from your machine via CLI command get-secret-value. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/secretsmanager/get-secret-value.html

From the error message, it seems that you secret is badly formatted (one of the field has an incorrect value). You will see which ones when you decrypt your secret with the command above.

Best,

Didier

profile pictureAWS
EXPERT
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
  • I followed the instructions you shared and could successfully decrypt the secret. It was properly formatted.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions