Ansible valueFrom aws secrets manager

Question

I need to set environment vars for Container in AWS Fargate,

Values for those vars are in AWS Secret Manager, secret ARN is arn:aws:secretsmanager:eu-west-1:909628726468:secret:secret.automation-user-KBSm8J, it stores two key/value secrets AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY

In CloudFormation the following worked perfect:

ContainerDefinitions:
  - Name: "prowler"
    Image: !Ref Image
    Environment:
      - Name: AWS_ACCESS_KEY_ID
        Value: '{{resolve:secretsmanager:secret.automation-user:SecretString:AWS_ACCESS_KEY_ID}}'

I have to do the same with Ansible (v2.9.15) and community.aws.ecs_taskdefinition module

Based on "official" example I have the following snippet:

- name: Create task definition
  ecs_taskdefinition:
    family: "{{ task_definition_name }}"
    aws_access_key: "{{ aws_access_key }}"
    aws_secret_key: "{{ aws_secret_key }}"
    region: "{{ aws_region }}"
    execution_role_arn: "{{ execution_role_arn }}"
    containers:
    - name: prowler
      essential: true
      image: "{{ image }}"
      environment:
        - name: "AWS_ACCESS_KEY_ID"
          valueFrom: "arn:aws:secretsmanager:eu-west-1:909628726468:secret:secret.automation-user-KBSm8J/AWS_ACCESS_KEY_ID"

..but it doesn't work:

TASK [ansible-role-prowler-deploy : Create task definition] ********************
[0;31mAn exception occurred during task execution. To see the full traceback, use -vvv. The error was: KeyError: 'value'[0m
[0;31mfatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/root/.ansible/tmp/ansible-tmp-1607197370.8633459-17-102108854554553/AnsiballZ_ecs_taskdefinition.py\", line 102, in <module>\n    _ansiballz_main()\n  File \"/root/.ansible/tmp/ansible-tmp-1607197370.8633459-17-102108854554553/AnsiballZ_ecs_taskdefinition.py\", line 94, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/root/.ansible/tmp/ansible-tmp-1607197370.8633459-17-102108854554553/AnsiballZ_ecs_taskdefinition.py\", line 40, in invoke_module\n    runpy.run_module(mod_name='ansible.modules.cloud.amazon.ecs_taskdefinition', init_globals=None, run_name='__main__', alter_sys=True)\n  File \"/usr/lib/python3.6/runpy.py\", line 205, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib/python3.6/runpy.py\", line 96, in _run_module_code\n    mod_name, mod_spec, pkg_name, script_name)\n  File \"/usr/lib/python3.6/runpy.py\", line 85, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_ecs_taskdefinition_payload_5roid3ob/ansible_ecs_taskdefinition_payload.zip/ansible/modules/cloud/amazon/ecs_taskdefinition.py\", line 520, in <module>\n  File \"/tmp/ansible_ecs_taskdefinition_payload_5roid3ob/ansible_ecs_taskdefinition_payload.zip/ansible/modules/cloud/amazon/ecs_taskdefinition.py\", line 357, in main\nKeyError: 'value'\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}[0m

I tried a few ways of that syntax, but no luck(

Answer 1

it turned out that secret section should have been used:

- name: Create ECS task definition
  ecs_taskdefinition:
    aws_access_key: "{{ aws_access_key }}"
    aws_secret_key: "{{ aws_secret_key }}"
    region: "{{ aws_region }}"
    family: "{{ task_definition_name }}"
    execution_role_arn: "{{ execution_role_arn }}"
    containers:
    - name: prowler
      essential: true
      image: "{{ image }}"
      repositoryCredentials:
        credentialsParameter: "{{ artifactory_creds_arn }}"
      logConfiguration:
        logDriver: awslogs
        options:
          "awslogs-group": "{{ log_group_name }}"
          "awslogs-region": "{{ aws_region }}"
          "awslogs-stream-prefix": "ecs"
      secrets:
        - name: "AWS_ACCESS_KEY_ID"
          valueFrom: "{{ aws_ak_arn }}"
        - name: "AWS_SECRET_ACCESS_KEY"
          valueFrom: "{{ aws_sk_arn }}"
      environment:
        - name: "AWS_ACCOUNT_ID"
          value: "{{ aws_id }}"