Aws-sam-cli: Getting "Could not find a value associated with JSONKey in SecretString" after updating secret

Created on 4 Aug 2020 · 5Comments · Source: aws/aws-sam-cli

Description

Our SAM template references some secrets, as follow:

FOO_VAR: {{resolve:secretsmanager:FOO_SECRET:SecretString:foo}}

This morning we added a new key in the secret FOO (from console), and we wanted to update our SAM application to use this new key. Also, we removed an unused key. Though, stack deployment fails with the following error:

Could not find a value associated with JSONKey in SecretString

Steps to reproduce

Create a Secret in SecretManager from AWS Console (FOO_SECRET) and put one key/value in the secret (foo:bar)
Create a stack using SAM application default template
Within the template, reference the secret key created in step 1 as follow: {{resolve:secretsmanager:FOO_SECRET:SecretString:foo}}
Deploy your stack
Go in SecretsManager from the AWS Console and edit FOO_SECRET adding the following key: willFail: true and removing the old one (foo)
Within the template, remove the reference to foo and add the reference to the newly created secret key from step 5, as follow:
{{resolve:secretsmanager:FOO_SECRET:SecretString:willFail}}
Deploy your stack

Observed result

You'll get Could not find a value associated with JSONKey in SecretString, that (presumably) means that CloudFormation is trying to resolve foo which doesn't exist anymore.

Expected result

Deployment should work as no more references to foo exist in the template.

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

OS: Mac OS 10.15.5
sam --version: SAM CLI, version 0.53.0

stagneeds-investigation

Source

39otrebla

👍3

Most helpful comment

I am facing a similar issue.
Had a deployed stack with two keys
I then added a prefix to those keys and added two additional keys

Stack fails with Could not find a value associated with JSONKey in SecretString

A workaround is to temporarily add the old key back, it doesn't matter what the value is, the key just needs to be there for the stack to update successfully.

BenBraunstein on 1 Sep 2020

🎉2

All 5 comments

I am facing a similar issue.
Had a deployed stack with two keys
I then added a prefix to those keys and added two additional keys

Stack fails with Could not find a value associated with JSONKey in SecretString

A workaround is to temporarily add the old key back, it doesn't matter what the value is, the key just needs to be there for the stack to update successfully.

BenBraunstein on 1 Sep 2020

🎉2

This is happening with regular CFN templates too, Ben's workaround helps but majorly frustrating for large teams where figuring out the removed key(s) isn't so hassle free.

aliabas7 on 11 Sep 2020

Facing the same issue here.

Merged development into staging and deployed. The keys exist.
Once again I will have to look for a workaround (the one mentioned above does not work for me).

arturocanalda on 5 Oct 2020

Found the problem. It was on my secret key.
From the console I could clearly see my keys there in the "Secret/Key" tab. So far, so good.
When I switched to the "Plaintext" view, this is what I found:

{
  "MAILCHIMP_LIST_ID\t": "****"
}

(*) Notice that beautiful and invisible \t

arturocanalda on 5 Oct 2020

👀1

I am facing a similar issue.
Had a deployed stack with two keys
I then added a prefix to those keys and added two additional keys

Stack fails with Could not find a value associated with JSONKey in SecretString

A workaround is to temporarily add the old key back, it doesn't matter what the value is, the key just needs to be there for the stack to update successfully.

This workaround fixed the issue for me, I even tried having the cloudformation template not access the secrets manager at all and it still threw this error which is just brutal.