4

I'm using Terraform to create both the App Runner instance and Secrets manager.

I'm getting a socket timeout error when trying to access secret manager from App Runner.
I'm new to App runner but I assumed that App runner would have access to secrets manager.

The application requires access to the database on startup but can't retrieve db connection stored in secret manager on start so deployment of App Runner fails.

Error: Caused by: org.apache.http.conn.ConnectTimeoutException: 
Connect to sts.us-east-1.amazonaws.com:443 
[sts.us-east-1.amazonaws.com/54.239.24.200] failed: Connect timed out
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
dtucker1914
  • 499
  • 1
  • 8
  • 18

3 Answers3

6

EDIT: As of Jan 2023, this is supported now: https://aws.amazon.com/about-aws/whats-new/2023/01/aws-app-runner-secrets-configuration-aws-secrets-systems-manager.

They've also added CDK support: https://github.com/aws/apprunner-roadmap/issues/6#issuecomment-1399768598

OLD ANSWER BELOW:

It doesn't look like it is currently supported, but is on the roadmap. See the AWS App Runner roadmap here:

https://github.com/aws/apprunner-roadmap

You can also vote for this specific feature request:

https://github.com/aws/apprunner-roadmap/issues/6

Ben Francom
  • 1,605
  • 2
  • 8
  • 7
  • It is now on the product roadmap "Coming soon." https://github.com/aws/apprunner-roadmap/issues/6 – Ben Francom Jan 05 '23 at 16:42
  • It is supported now: https://aws.amazon.com/about-aws/whats-new/2023/01/aws-app-runner-secrets-configuration-aws-secrets-systems-manager/ They've also added CDK support: https://github.com/aws/apprunner-roadmap/issues/6#issuecomment-1399768598 – Ben Francom Jan 23 '23 at 17:26
1

App Runner now supports Secrets Manager and SSM params: https://aws.amazon.com/about-aws/whats-new/2023/01/aws-app-runner-secrets-configuration-aws-secrets-systems-manager/

Psz Now
  • 11
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Jan 14 '23 at 13:58
0

Dec. 2022: apprunner-roadmap issue 6 ("External Configuration/Secret Sources") just had two updates:

  • Hari Ohm Prasath from Amazon WebServices adds:

    The team is actively working on this feature, we will keep you updated about the progress in the upcoming weeks.

  • Andreas Donig proposes:

    Not sure whether this is a working workaround because I didn't try it, but isn't it possible to pass the secret ARN as an environment variable to the container and there use the awscli to get the secret value and do something with it, for example put it in the container command execution environment in docker-entrypoint.sh like this:

    #!/bin/bash
set -euxo pipefail
MY_SECRET_VALUE=$(aws secretsmanager get-secret-value --secret-id $MY_SECRET_ARN --query SecretString --output text)
exec env MY_VARIABLE=$MY_SECRET_VALUE "$@"

    I believe it should work as long as you have a VPC connector to a VPC with a Secrets Manager VPC endpoint and your task role allows the containers to access Secrets Manager.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250