Aws-cdk: secret from SecretsManager not resolved correctly

Created on 17 Nov 2019 · 6Comments · Source: aws/aws-cdk

the secret doesn't seem to be correctly resolved when used in outputs

Reproduction Steps

const secret = secretsManager.Secret.fromSecretArn(
  this,
  'Secrets',
  'arn:aws:secretsmanager:us-east-1:xxx:secret:yyy-secrets-zzz',
);
new cdk.CfnOutput(this, 'testoutput', {
  value: secret.secretValueFromJson('abcdef').toString(),
});

produces the following output:

app.testoutput = {{resolve:secretsmanager:arn:aws:secretsmanager:us-east-1:xxx:secret:yyy-secrets-zzz:SecretString:abcdef::}}

instead of the actual resolved secret

Environment

using aws-cdk v1.8.0

This is :bug: Bug Report

@aws-cdaws-secretsmanager guidance needs-cfn p2

Source

itajaja

Most helpful comment

that makes sense. my actual use case is to use a secret from secretsManager as a k8s secret using aws-cdk's addResource functionality. in that case as well the secret is not resolved. what would be a good workflow there?

itajaja on 19 Nov 2019

👍3

All 6 comments

This is probably a limitation of the underlying CloudFormation system.

I think they don't expect you to put a secret (something you want to keep hidden) in stack outputs (visible to everyone, will probably appear in CloudFormation logs).

rix0rrr on 19 Nov 2019

itajaja on 19 Nov 2019

👍3

running into the exact same problem creating a k8s secret using CDK + SecretsManager. Any guidance how to make this work would be much appreciated

arjanschaaf on 13 May 2020

Same use case here. It seems something related to addResource, that doesn't resolve the value.
But using Secret.fromSecretArn to create an environment variable in an ECS task definition works.
Any workarround for this?