https://pulumi.com logo
#aws
Title
# aws
t

tall-lion-84030

03/15/2023, 11:03 AM
Hello everyone ! I’m trying to setup a full ecr-fargate-ecs pipeline with Pulumi. I need to pass some secrets stored in secrets manager to my image. I’ve declared a
FargateService
with a
taskDefinitionArgs
and gave it a
taskRole
and
executionRole
with an Role containing the right permissions to retrieve secrets (‘secretsmanager:GetSecretValue’, ‘kms:Decrypt’ and ‘ssm:GetParameters’). But i’m stuck with an error:
RessourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secrets from ssm: service call has been retried 1 times): Invalld ssm parameters
I was unaware that secrets manager uses ssm store parameter under the hood since i have not set any parameter store. Does anyone has any idea to help me figure this ? Thanks in advance 🙏
c

calm-cat-43230

03/15/2023, 2:02 PM
It looks like perhaps your params/secrets references might not be quite right — can you share that section? Perhaps the correct SSM param ARN string isn’t what’s being stored in the container def block. e.g.
Copy code
secrets: [
  { name: 'ENV_VAR_NAME', valueFrom: 'arn:aws:ssm:<region>:<account>:parameter/parampath/paramname' }
]
t

tall-lion-84030

03/15/2023, 2:05 PM
@calm-cat-43230 do i have to pass an ssm arn ? i wanted to pass my secrets manager full arn
here is one of the secret i pass:
Copy code
{
		name: 'MONGODB_URI',
		valueFrom: 'arn:aws:secretsmanager:eu-west-3:ACCOUNT_ID:secret:MONGODB_URI-ftkHYT',
	},
c

calm-cat-43230

03/15/2023, 2:22 PM
Looks ok to me, based on https://docs.aws.amazon.com/AmazonECS/latest/developerguide/secrets-envvar-secrets-manager.html — I’ve not used Secrets Manager, but it seems you can get away without the “default colons” at the end of the ARN, based on that. It does seem like somewhere it’s trying to interpret that as SSM though. Perhaps 1. try to call each of your secrets using the CLI and those ARNs, to ensure they aren’t malformed, and 2. build up your
secrets
block one by one until you hit the one that’s failing?
You can also eyeball the actual ENV var `valueFrom`s using the console or CLI and describing the container.
I’ve sometimes found that I interpolated incorrectly, and that’s been helpful.