AWS Secrets Manager can’t find the specified secret

Question

I'm using AWS Fargate and storing sensitive data with Secrets Manager. Task definition should get environment variables from secrets store

- name: "app"
  image: "ecr-image:tag"
  essential: true
  secrets:
    - name: "VAR1"
      valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-one-secret"
    - name: "VAR2"
      valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-two-secret"
    - name: "VAR3"
      valueFrom: "arn:aws:secretsmanager:us-east-1:111222333444:secret:var-two-private"

but for some reason it fails with the error below

ResourceNotFoundException: Secrets Manager can’t find the specified secret. status code: 400, request id

It seems a bit strange to me because

IAM has permissions for get secret value, moreover
when leaving only VAR1 variable everything works as expected
AWS CLI is able to retrieve each secret without any issue

e.g.

aws secretsmanager get-secret-value --secret-id var-two-secret

What might be wrong with my configuration? Any hints appreciated

Most Wanted · Answer 1 · 2019-09-08T17:10:34.673

28

ok, so the trick was to specify ARN explicitly. Instead of just providing secret name you should use full identifier

arn:aws:secretsmanager:us-east-1:111222333444:secret:var-two-secret-ID0o2R

Note -ID0o2R suffix at the end of secret name.

It's still not clear for me why for some variables it works without it.

UPD

However, if your secret has a name that ends in a hyphen followed by six characters (before Secrets Manager adds the hyphen and six characters to the ARN) and you try to use that as a partial ARN, then those characters cause Secrets Manager to assume that you’re specifying a complete ARN. This confusion can cause unexpected results.

So as you can see from my variable name containing a hyphen Secrets Manager had hard times when resolving it by short name

edited Sep 08 '19 at 17:10

answered Sep 06 '19 at 13:37

Most Wanted

6,254
5
53
70

6

Not just a hyphen, but a hyphen followed by exactly 6 characters: `-secret` ‍♀️ – meustrus Sep 04 '20 at 17:44
4

Bit me too... why AWS? – JTW Feb 15 '21 at 16:36
5

This is truly one of the most perplexing, time-wasting, mind-boggling anti-features I've ever seen in AWS. And they have quite a few. Thanks for saving me hours or days of debugging. – danielkza Oct 27 '21 at 15:02
I wasted two days with this, can't believe this is still an issue. – Miguel Angel Acevedo May 13 '22 at 08:08
such a waste of time trying to troubleshoot the error :( – keshav jois Aug 14 '22 at 01:10
All this is explained with examples in the docs: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data-secrets.html#secrets-envvar – Luigi Lopez Aug 17 '22 at 03:29
Add one more to the list of people who got confused by this, and facepalmed at the coincidence of `secret` being 6 characters :P – scubbo Jun 08 '23 at 22:16

JoeB · Accepted Answer · 2022-11-27T00:10:47.680

23

Secrets Manager tries to do partial ARN matching when you do not specify the GUID on the end of the ARN. However, it is imperfect because partial ARNs could collide. If you are fetching secrets within the same account, you can just use the secret name (the part after secret: and excluding the dash 6 character -GUID) instead of the full ARN. But using the full ARN, when you have it, is always best.

edited Nov 27 '22 at 00:10

answered Sep 06 '19 at 16:59

JoeB

1,503
7
9

score 5 · Answer 3 · answered Sep 16 '21 at 21:51

5

Another potential cause of this error is that the secret isn’t set; the secret name might exist, but not have a value. See https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-secret.html for steps on setting a value.

answered Sep 16 '21 at 21:51

Geoffrey Booth

7,168
5
35
42

score 1 · Answer 4 · answered Aug 17 '22 at 03:28

Just add a double colon to the end of the ARN:

"arn:aws:secretsmanager:us-east-1:1234567890:secret:example-ABC12:VARIABLE_NAME::"

Explanation:

arn:aws:secretsmanager:us-east-1:1234567890:secret:example-ABC12 is the ARN of your secrets (vault)
VARIABLE_NAME is the actual variable you added, with the addition of :: to the ARN.

Check all the possible combinations in the docs.

score 0 · Answer 5 · answered Feb 26 '23 at 22:38

0

Also ensure that you are not creating multiple SPCs in the same NS. In my case, I created two SCPs in the same NS. The second SPC returned the exact same error.

answered Feb 26 '23 at 22:38

j3e

1

As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Mar 03 '23 at 20:00

Adam E. · Answer 6 · 2023-03-22T14:27:29.373

I've encountered this exact issue when naming a secret resource authentication-token-secret. I needed to put together the partial ARN myself for local testing (using AWS SAM) and due to the fact that the secret name ended with the hyphen and six characters AWS Secret Manager assumed I'm looking for a full ARN and failed to find the secret.

AWS Secret Manager appends a hyphen and 6 characters to the ARN of the resource, so if your secret also ends with the same patterns (a hyphen and 6 characters) AWS Secret Manager will attempt to resolve it as a full ARN.

The fix was to not match the patterns AWS uses (again - a hyphen and 6 characters) and instead rename the resource to authentication-token.

AWS documentation explaining this issue: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen

AWS Secrets Manager can’t find the specified secret

6 Answers6

Linked