- Newest
- Most votes
- Most comments
From the issue description I understand you are looking to migrate your service from AppMesh to ServiceConnect and in the template snippet the parameter ARN is specified with environment variable for region and account ID.
The shared error indicates that the SSM parameter ARN is different from current account which indicates its null. Furthermore, the account ID's needs to be the same as SSM parameter ARN as cross account support is not currently supported.
Based on this data, it seems the template is not pulling the account ID as it set as null, can you confirm how the account ID variable is setup in the cdk template? Based on the environment variable this seems to be pulling a ENV from CDK, can you confirm if the ENV is setup with the correct values?
With regards to envoy containers the instance metadata can be used to extract the account ID which does not require it to be set as an ENV. Thus this should work on container without any issue. The service connect is not the error prone component but rather the account ID not being setup in the CDK ENV. Please refer to https://docs.aws.amazon.com/app-mesh/latest/userguide/proxy-authorization.html for more info about instance metadata.
I would also like to take the opportunity to advise I am an engineer from ECS and do not work on CDK. I did however setup a lab with CDK using literal values for the region and account ID and I was able to deploy successfully, when trying to use ENV my code failed to synthesize. I would recommend reaching to CDK team to understand how to pass the account variable correctly to avoid the null results.
For now I've updated the parameter store value to String
from SecureString
, and added the value as an inline resolve
Relevant content
- asked a month ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
Sorry, I should have made the example more concise: I've updated the question to include the actual cloudformation stack values opposed to cdk code. Like I mentioned the block of code is identical between the original envoy setup and the new service connect setup, so there shouldn't be any issues with the account id.
It seems like there's an issue with service connect being able to read secure strings (or maybe any SSM parameters). From it's perspective it's running in some sort of context that does not have an account id.
@Bohlale_M - any thoughts on the updated details in the question? In your lab example, were you using a securestring parameter in that secretoptions section?