ecs-secrets
ecs-secrets copied to clipboard
awslabs
Error creating cloudformation stack: ResourceNotReady: failed waiting for successful resource state
Hey! I saw this tool and was excited to try it out. When executing the following setup command:
docker run --env-file setup-env.txt -v ~/.aws:/root/.aws amazon/amazon-ecs-secrets setup --application-name test-secrets --create-principal arn:aws:iam::$ACCOUNT_ID:role/SecretsAdmin --fetch-role arn:aws:iam::$ACCOUNT_ID:role/MyApplicationRole
I get the following error: Error creating cloudformation stack: ResourceNotReady: failed waiting for successful resource state
When I checked the CloudFormation Stack Details it seems to have failed because of a MalformedPolicyDocumentException.
I've attached the generated CloudFormation template:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description" : "AWS CloudFormation template to create resources for ECS Secrets.",
"Parameters": {
"ECSSecretsTableName": {
"Type": "String",
"Description": "Table name for ECS Secrets"
},
"ECSSecretsIAMPrincipalForCreatingSecrets": {
"Type": "String",
"Description": "IAM Entity used to create secrets"
},
"ECSSecretsIAMRoleArn": {
"Type": "String",
"Description": "Task IAM Role Arn used by the application"
}
},
"Resources" : {
"ECSSecretsTable" : {
"Type" : "AWS::DynamoDB::Table",
"Properties" : {
"AttributeDefinitions" : [
{
"AttributeName" : "Name",
"AttributeType" : "S"
},
{
"AttributeName" : "Serial",
"AttributeType" : "N"
}
],
"KeySchema" : [
{
"AttributeName" : "Name",
"KeyType" : "HASH"
},
{
"AttributeName" : "Serial",
"KeyType" : "RANGE"
}
],
"ProvisionedThroughput" : {
"ReadCapacityUnits" : "5",
"WriteCapacityUnits" : "5"
},
"TableName" : {"Ref": "ECSSecretsTableName"}
}
},
"ECSSecretsMasterKey": {
"Type" : "AWS::KMS::Key",
"Properties" : {
"Description" : "Master Key for ECS Secrets",
"KeyPolicy" : {
"Version": "2012-10-17",
"Id": "ecs-secrets-setup-key-policy",
"Statement": [
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": { "Fn::Join": [":", ["arn:aws:iam:", { "Ref":"AWS::AccountId" }, "root"]]}
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key to create secrets",
"Effect": "Allow",
"Principal": { "AWS": { "Ref": "ECSSecretsIAMPrincipalForCreatingSecrets" } },
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key to retrieve secrets",
"Effect": "Allow",
"Principal": { "AWS": { "Ref": "ECSSecretsIAMRoleArn" } },
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
}
}
},
"Outputs" : {
"secretsDynamoTable" : {
"Value" : { "Fn::Sub" : "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ECSSecretsTable}" }
},
"kmsKey": {
"Value" : { "Ref" : "ECSSecretsMasterKey" }
}
}
}
@vecchp Thanks for posting this issue. Can you confirm that you have already created the IAM Roles SecretsAdmin and MyApplicationRole.
Ah that is most likely the culprit. I haven't got around to trying this approach again yet.
We've been putting more effort into using S3 with KMS-SSE
