aws-cdk icon indicating copy to clipboard operation
aws-cdk copied to clipboard

Published 20 hours ago verified publisher icon aws

SSM Secure Parameter Version ignored in ARN

Open MartinLoeper opened this issue 4 years ago • 7 comments

We create a secure string parameter in SSM and pass it down to an ECS service via a TaskDefinition (inside a ContainerDefinition) as Secret. However, the version of the secure string seems to be ignored when the CloudFormation ARN for the secret in the ECS task definition is created.

Reproduction Steps

const param = StringParameter.fromSecureStringParameterAttributes(construct, "SecretParameterForEcsTaskDefinition" {
     simpleName: false,
     parameterName: "some-name",
     version: 2,
});

const secret = Secret.fromSsmParameter(param);
// pass the secret to ECS task definition via secrets property
...
const options: ContainerDefinitionOptions = {
    ...
    secrets: {
      "some-key": secret,
    }
}

Error Log

Not an error, but the parameter version is not pinned. The ECS task definition contains the following:

...
"secrets": [
        {
          "valueFrom": "arn:aws:ssm:eu-central-1:xxxxxxxxxx:parameter/some-name",
          "name": "some-key"
        }
]

I would expect the ARN to end with: some-name:2.

Environment

  • CLI Version : 1.39.0 (build 5d727c1)
  • Framework Version: 1.39.0
  • Node.js Version: v12.16.3
  • OS : Linux
  • Language (Version): TypeScript

This is :bug: Bug Report

MartinLoeper avatar Jun 05 '20 16:06 MartinLoeper

This is actually saving my bacon right now. So, if this is fixed it would be helpful to have a way to ignore the version and keep using the latest version.

cynicaljoy avatar Jun 23 '20 20:06 cynicaljoy

yeah @cynicaljoy thats definitely on the radar. Trying to figure out where logic for versioning should go and how to make sure have that information. Right now the arn of the parameter doesn't contain the version, but if its provided by the user during import we "have" it. ECS docs aren't very clear that providing secretarn:version works though.

MrArnoldPalmer avatar Jun 24 '20 00:06 MrArnoldPalmer

Here is my +1

jnawk avatar Feb 27 '21 20:02 jnawk

I'm having this same issue as well. It would actually be amazing if we could specify a latest version per @cynicaljoy 's post or specify a specific version.

In either case, changing the version should trigger a new deployment in ECS. The issue I'm having in @aws-cdk/aws-ssm:1.93.0 is setting a different version for a SecureString parameter does not update my running containers.

jcsturges avatar Apr 03 '21 00:04 jcsturges

I did a bit of digging, it appears one can't specify the version of a SSM Parameter in a task def, so no amount of wishing in the CDK will make it happen. One either needs to use Secrets Manager (which one can (must) specify versions for), or the ECS service itself needs to be changed to support passing in SSM parameter versions.

jnawk avatar Apr 06 '21 23:04 jnawk

@jnawk can you provide links for that? I remember looking and not getting a straightforward answer for this. If we can close this out and prefer moving towards better Secrets Manager support that may make sense.

MrArnoldPalmer avatar Apr 07 '21 18:04 MrArnoldPalmer

This is the corresponding feature request on the containers roadmap https://github.com/aws/containers-roadmap/issues/636

It was closed after implementing support for versioned secrets for Secret Store, but not SSM Parameters.

Nevon avatar Feb 15 '22 09:02 Nevon