terraform-aws-consul-ecs icon indicating copy to clipboard operation
terraform-aws-consul-ecs copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

GetSecretValue IAM permission for acl-controller

Open polewskm opened this issue 2 years ago • 1 comments

Module: acl-controller

Regarding secrets, currently the module has the following input variables:

  • consul_bootstrap_token_secret_arn
  • consul_server_ca_cert_arn

The module then creates IAM permissions to the GetSecretValue action. Normally this works fine with secret ARNs that only contain a single value such as:

arn:aws:secretsmanager:<region>:<aws_account_id>:secret:<secret_name>

But when a secret with a JSON structure is used, then the ARN in the ECS task definition becomes:

arn:aws:secretsmanager:region:aws_account_id:secret:secret-name:json-key:version-stage:version-id

Unfortunately the IAM permission fails (does not apply) when this type of secret ARN is used and the acl-controller fails to start because its unable to retrieve the secret value.

I was able to confirm this by manually updating the IAM policy by removing the :json-key:version-stage:version-id suffix and the acl-controller was then able to start successfully.

How would it be possible to use secrets with ARNs that specify a JSON key?

polewskm avatar Aug 23 '22 16:08 polewskm