Reputation: 9191
upload file into AWS Secrets Manager using Terraform
What specific changes need to be made to the syntax of the example below in order for Terraform to successfully upload the named file into a secret in AWS Secrets Manager?
Note that an AWS EC2 instance running Amazon Linux 2 is also created by the same Terraform module and needs to retrieve this file from the Secrets manager. The same Amazon Linux 2 EC2 instance is already able to successfully retrieve a string secret from the same AWS Secrets Manager. Therefore, this problem is isolated to uploading a file instead of a short string.
If it is not possible to upload the file object, then a second best answer would show how to upload the textual contents of the file. Note that the file is an x509 certificate that will need to be used by a program running in an EC2 instance. The textual contents are the typical length of an x509 certificate, which is a relatively small amount of text.
CURRENT CODE:
variable "certFileAndPath" { default = "C:\\path\\to\\the\\x509\\certificate.crt" }
resource "aws_secretsmanager_secret" "example-cert" {
name = "example-cert"
recovery_window_in_days = 0
}
resource "aws_secretsmanager_secret_version" "cert-val" {
secret_id = aws_secretsmanager_secret.example-cert.id
secret_binary = filebase64(var.certFileAndPath)
}
CURRENT RESULTS:
Currently, the Terraform code above results in None being echoed out by the cloud-init script that retrieves the secret. And also, the AWS web UI console for secret manager does not show any content when a human user tries to read the contents of the secret which indeed is created by the below. And Terraform runs the code above without throwing an error.
The cloud-init bash userdata command that echoes out None in the resulting EC2 instance's /var/log/cloud-init-output.log is:
echo "example-cert is: \n"
echo $(aws secretsmanager get-secret-value --secret-id "example-cert" --version-stage AWSCURRENT --region "${var._region}" --output text --query SecretString)
Upvotes: 2
Views: 2728
Answers (1)
Reputation: 238209
If you are using secret_binary, in the AWS CLI you should use SecretBinary:
aws secretsmanager get-secret-value --secret-id "example-cert" --version-stage AWSCURRENT --region "${var._region}" --output text --query SecretBinary
Upvotes: 1
Related Questions
- Receiving error in AWS Secrets manager awscli for: Version "AWSCURRENT" not found when deployed via Terraform
- How to retrieve a secret in terraform from aws secret manager
- Terraform and AWS secrets
- Terraform AWS secret manager valueFrom syntax
- Module for AWS Secret Manager with value/key - Terraform
- How to securely allow access to AWS Secrets Manager with Terraform and cloud-init
- terraform aws_secretsmanager_secret_version set base64encode(file("./src/secret.json")) as the value
- How to get private key from secret manager?
- Error when trying to pass aws_secretsmanager_secret_version value
- Set aws access key and secret key with secretsmanager Terraform