1

I have a problem about getting specified secret from AWS Secret Manager in my Spring Boot Example.

I think localstack is useful for the process.

Here is the localstack code snippet defined in docker-compose.

  localstack:
    image: localstack/localstack:latest
    environment:
      - SERVICES=s3
      - EDGE_PORT=4566
      - AWS_ACCESS_KEY_ID=test
      - AWS_SECRET_ACCESS_KEY=test
      - AWS_DEFAULT_REGION=eu-west-3
    ports:
      - '4566-4597:4566-4597'
    volumes:
      - "${TMPDIR:-/tmp/localstack}:/tmp/localstack"

After I ran setup-aws.sh, I tried to run the Spring Boot example.

I couldn't get secret value?

How can I fix it?

Here is the application.properties file

cloud.aws.end-point.uri=http://s3.localhost.localstack.cloud:4566/
cloud.aws.secrets-manager.end-point.uri=http://localhost:4566  -> secretManagerUrl

s3.bucket.base.url=http://bucketnameproject.s3.localhost.localstack.cloud:4566/

Here is the init method of AWSConfiguration file

public void init() throws JsonProcessingException {
        String secretName = "aws/secret";
        String region = "eu-west-3";

        AWSSecretsManager client = AWSSecretsManagerClientBuilder.standard()
                .withEndpointConfiguration(new EndpointConfiguration(secretManagerUrl, region))
                .build();

        String secret;
        GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest()
                .withSecretId(secretName);
        GetSecretValueResult getSecretValueResult = null;

        getSecretValueResult = client.getSecretValue(getSecretValueRequest);

        secret = getSecretValueResult.getSecretString(); // HERE IS THE ERROR LOCATION

        ObjectMapper m = new ObjectMapper();
        Map<String, String>  read = m.readValue(secret, Map.class);
        read.forEach((key, value) -> {
            secretCache.put("accessKey", key);
            secretCache.put("secretKey", value);
        });
    }

Here is the setup-aws.sh shown below.

aws configure set aws_access_key_id "test"
aws configure set aws_secret_access_key "test"
aws configure set default.region eu-west-3


aws --endpoint-url=http://localhost:4566 secretsmanager create-secret --name aws/secret --secret-string '{"my_uname":"username","my_pwd":"password"}'

aws --endpoint-url=http://localhost:4566  s3api create-bucket \
              --bucket bucketnameproject \
              --region eu-west-1 \
              --create-bucket-configuration LocationConstraint=eu-west-3

Here is the output of sh file

{
    "ARN": "arn:aws:secretsmanager:eu-central-1:000000000000:secret:aws/secret-A
dRTaw",
    "Name": "aws/secret",
    "VersionId": "ce0e8536-565a-4791-9259-8272d46e04be"
}

Here is the output of aws --endpoint-url=http://localhost:4566/ secretsmanager list-secrets

    "SecretList": [
        {
            "ARN": "arn:aws:secretsmanager:eu-central-1:000000000000:secret:aws/secret-ScYdQq",
            "Name": "aws/secret",
            "LastChangedDate": "2022-10-18T00:18:02.283609+03:00",
            "SecretVersionsToStages": {
                "eca973d8-c502-4c74-a646-8e412cd66973": [
                    "AWSCURRENT"
                ]
            },
            "CreatedDate": "2022-10-18T00:18:02.283609+03:00"
        }
    ]
}

Here is the error shown below.

com.amazonaws.services.secretsmanager.model.ResourceNotFoundException: Secrets Manager can't find the specified secret. (Service: AWSSecretsManager; Status Code: 400; Error Code: ResourceNotFoundException; Request ID: 55AQCW3AFW5RK39GQZGXAK6MVHG80K7W6SGYTUE5MTJ5X5TMLEMB; Proxy: null)
Mark B
  • 183,023
  • 24
  • 297
  • 295
S.N
  • 2,157
  • 3
  • 29
  • 78
  • 1
    There's really nothing SpringBoot specific here. This is just some Java code calling the AWS SDK for Java. If it can't find the secret, then either the name you are giving it is incorrect, or the region is incorrect, or the access key/secret key you gave it is for a different account. – Mark B Oct 17 '22 at 20:38
  • So you're using something like localstack to do this, instead of actually using AWS? What's the value of `secretManagerUrl` in the Java code? Also, did you notice the region you show in the code is not the region shown in the error message? – Mark B Oct 17 '22 at 20:46
  • @MarkB I forgot to add localstack properties. I added all them. – S.N Oct 17 '22 at 20:51
  • You still haven't shown what value the `secretManagerUrl` variable in the Java code contains. And you don't appear to be setting the SecretsManager URL in the application.properties file either. – Mark B Oct 17 '22 at 21:57
  • @MarkB `@Value("${cloud.aws.secrets-manager.end-point.uri}") private String secretManagerUrl;` – S.N Oct 17 '22 at 21:58
  • @MarkB I still couldn't fix the issue. – S.N Oct 19 '22 at 12:13
  • @MarkB I have another issue regarding aws not running with localstack in docker-compose. Can you help me ? Here is the link : https://stackoverflow.com/questions/74363198/cannot-run-sh-file-regarding-aws-configure-in-localstack-in-docker-compose-yml – S.N Nov 16 '22 at 21:52
  • I am having the same issue with .Net, any solution for this ? – delpha Jul 06 '23 at 15:56

1 Answers1

0

Let's understand what is aws account secret and aws Secrets Manager:

  • aws account secret is used for client (java, shell, etc) authentication
  • aws Secrets Manager is a online service to centralize some secret of your app like database_host, database_password, some_api_key, etc

To finf the error, follow these steps

retrieve the value

If your secret was created correctly, try to retrieve it:

aws secretsmanager get-secret-value --secret-id account-player1

If you can't by shell, neither can the java.

id should contain the arn

According to the some posts, the secret name should be the entire ARN:

So instead "aws/secret" of String secretName = "aws/secret"; use

arn:aws:secretsmanager:eu-central-1:000000000000:secret:aws/secret-A
dRTaw

docs and posts

JRichardsz
  • 14,356
  • 6
  • 59
  • 94
  • I also defined `arn:aws:secretsmanager:eu-central-1:000000000000:secret:aws/secret-A dRTaw``but I still get the same error. – S.N Oct 17 '22 at 21:37
  • Did you validate the value retrieve with the shell? Also the arn is not defined by the user. You define only the key, the arn is created by aws – JRichardsz Oct 17 '22 at 23:22
  • I still couldn't fix it. – S.N Oct 19 '22 at 12:17
  • Did you validate the value retrieve with the shell? – JRichardsz Oct 20 '22 at 00:06
  • I have another issue regarding aws not running with localstack in docker-compose. Can you help me ? Here is the link : https://stackoverflow.com/questions/74363198/cannot-run-sh-file-regarding-aws-configure-in-localstack-in-docker-compose-yml – S.N Nov 10 '22 at 23:47
  • If this was useful, click on the upper arrow and mark as solved – JRichardsz Nov 11 '22 at 00:25
  • I tried to clean and build the project and check the environmental variables in the system and then define some of the variables. Next, it works. Can you look through my another issue if possible? – S.N Nov 11 '22 at 12:56
  • I have another issue regarding aws not running with localstack in docker-compose. Can you help me ? Here is the link : https://stackoverflow.com/questions/74363198/cannot-run-sh-file-regarding-aws-configure-in-localstack-in-docker-compose-yml – S.N Nov 16 '22 at 21:52