[Bug]: Can't deploy because of Secrets issue

[apassy]

Other Closed Issues related to tagging.

Description:

I'm trying to deploy a service that I previously deployed just fine, but I added a secrets section to the manifest, and now it's failing.

Details:

Copilot ver: 1.33.1
running on Windows 11
Load-balanced web app

Additional manifest lines:

secrets:                      
  adc_reader:
    secretsmanager: 'ReportWriter_ADC_DB'

Error:

  - [a7438eb0]: ResourceInitializationError: unable to pull secrets or reg
    istry auth: execution resource retrieval failed: unable to retrieve se
    cret from asm: service call has been retried 1 time(s): failed to fetc
    h secret arn:aws:secretsmanager:us-east-1:<ID REDACTED>:secret:ReportWr
    iter_ADC_DB from secrets manager: AccessDeniedException: User: arn:aws
    :sts::<ID REDACTED>:assumed-role/streamlit-sample-test-front-end-Execut
    ionRole-qXmoAXceH13T/a7438eb04296469cbb925934135fa489 is not authorize
    d to perform: secretsmanager:GetSecretValue on resource: arn:aws:secre
    tsmanager:us-east-1:<ID REDACTED>:secret:ReportWriter_ADC_DB because no
     identity-based policy allows the secretsmanager:GetSecretValue action
     status code: 400, request id: 53f8285a-ebbf-4208-8358-c011a9c0a9fc

Secrets are tagged with the copilot-application and copilot-environment and those match what I'm using.

Expected result:

expected successful deployment

[al-dpopowich]

This has been reported in #5732. You need to give the full ARN of the secret, not just its name.

[apassy]

Same error when using the full ARN.

[Lou1415926]

hey @apassy , please see my response here and see if it help clarify anything for you. In the meantime, can you try specifying the secret arn instead of just the name?

[apassy]

Tried with full ARN

secrets:                      # Pass secrets from AWS Systems Manager (SSM) Parameter Store.
  adc_reader:
    secretsmanager: 'arn:aws:secretsmanager:us-east-1:<acct>:secret:ReportWriter_ADC_DB-<random>'
  dropbox_writer:
    secretsmanager: 'arn:aws:secretsmanager:us-east-1:<acct>:secret:DropboxReportWriter-<random>'
  infra_reader:
    secretsmanager: 'arn:aws:secretsmanager:us-east-1:<acct>:secret:ReportWriter_Infrastructure_DB-<random>'

    ✘ Latest 2 tasks stopped reason
      - [955086cd,9b359892]: ResourceInitializationError: unable to pull secre
        ts or registry auth: execution resource retrieval failed: unable to re
        trieve secret from asm: service call has been retried 1 time(s): secre
        ts manager: failed to retrieve secret from arn:aws:secretsmanager:us-e
        ast-1:<acct>:secret:arn:aws:secretsmanager:us-east-1:49115046704
        7:secret:ReportWriter_ADC_DB-<random>: unexpected ARN format with parame
        ters when trying to retrieve ASM secret

[h5aaimtron]

@apassy remove the _ and any - in the last segment of your secret.

@Lou1415926 we just had this issue where our copilot services could not access secrets where the last segment had a hyphen.
Example that didn't work: common/data/lookup-id
Example that did work common/data/lookupid

It appears if the hyphen is in a previous segment, but not the ending segment, it's fine such as:
Works fine: api-common/lookupid

No matter what you'll get an error about accessing the secret.

[ssyberg]

I think this is still a bug, all my secrets are working fine in my first environment but now I'm seeing this error when trying to deploy to a new environment

[iamhopaul123]

@ssyberg can you check if the secrets are properly tagged with copilot-application etc.? Are you using the same secrets for both envs?

[ssyberg]

@ssyberg can you check if the secrets are properly tagged with copilot-application etc.? Are you using the same secrets for both envs?

It was totally the tagging, I missed that sentence in the docs!