Reputation: 499
Does AWS App Runner support accessing values in secrets manager
I'm using Terraform to create both the App Runner instance and Secrets manager.
I'm getting a socket timeout error when trying to access secret manager from App Runner.
I'm new to App runner but I assumed that App runner would have access to secrets manager.
The application requires access to the database on startup but can't retrieve db connection stored in secret manager on start so deployment of App Runner fails.
Error: Caused by: org.apache.http.conn.ConnectTimeoutException:
Connect to sts.us-east-1.amazonaws.com:443
[sts.us-east-1.amazonaws.com/54.239.24.200] failed: Connect timed out
Upvotes: 4
Views: 2568
Answers (3)
Reputation: 1813
EDIT: As of Jan 2023, this is supported now: https://aws.amazon.com/about-aws/whats-new/2023/01/aws-app-runner-secrets-configuration-aws-secrets-systems-manager.
They've also added CDK support: https://github.com/aws/apprunner-roadmap/issues/6#issuecomment-1399768598
OLD ANSWER BELOW:
It doesn't look like it is currently supported, but is on the roadmap. See the AWS App Runner roadmap here:
https://github.com/aws/apprunner-roadmap
You can also vote for this specific feature request:
https://github.com/aws/apprunner-roadmap/issues/6
Upvotes: 6
Reputation: 11
App Runner now supports Secrets Manager and SSM params: https://aws.amazon.com/about-aws/whats-new/2023/01/aws-app-runner-secrets-configuration-aws-secrets-systems-manager/
Upvotes: 1
Reputation: 1323035
Dec. 2022: apprunner-roadmap issue 6 ("External Configuration/Secret Sources") just had two updates:
Hari Ohm Prasath from Amazon WebServices adds:
The team is actively working on this feature, we will keep you updated about the progress in the upcoming weeks.
Andreas Donig proposes:
Not sure whether this is a working workaround because I didn't try it, but isn't it possible to pass the secret
ARNas an environment variable to the container and there use theawsclito get the secret value and do something with it, for example put it in the container command execution environment indocker-entrypoint.shlike this:#!/bin/bash set -euxo pipefail MY_SECRET_VALUE=$(aws secretsmanager get-secret-value --secret-id $MY_SECRET_ARN --query SecretString --output text) exec env MY_VARIABLE=$MY_SECRET_VALUE "$@"I believe it should work as long as you have a VPC connector to a VPC with a Secrets Manager VPC endpoint and your task role allows the containers to access Secrets Manager.
Upvotes: 0
Related Questions
- AWS SAM retrieve secret value from Secret Manager with dynamic referencing
- Parsing secrets from AWS secrets manager using AWS cli
- Env variable from AWS Secrets Manager in Kubernetes
- Get secrets from AWS Secret manager without passing access key and secret key from config
- Integrate AWS Secrets in application Properties, Spring Boot application
- AWS SecretManager Read and Write concurrency
- AWS Secrets Manager without setsecret or testsecret
- Reference Secrets Manager Parameters to Secret String
- AWS Secrets for application.properties with Springboot lambda functions
- AWS CDK - Possible to access individual (JSON) value within a Secrets Manager secret when specifying secrets for a container?