DEVHIDE
Login Or Sign up

Does AWS App Runner support accessing values in secrets manager

1.9k Views Asked by At

I'm using Terraform to create both the App Runner instance and Secrets manager.

I'm getting a socket timeout error when trying to access secret manager from App Runner.
I'm new to App runner but I assumed that App runner would have access to secrets manager.

The application requires access to the database on startup but can't retrieve db connection stored in secret manager on start so deployment of App Runner fails.

Error: Caused by: org.apache.http.conn.ConnectTimeoutException: 
Connect to sts.us-east-1.amazonaws.com:443 
[sts.us-east-1.amazonaws.com/54.239.24.200] failed: Connect timed out
amazon-web-services amazon-app-runner
Original Q&A
3

There are 3 best solutions below

2
On BEST ANSWER

EDIT: As of Jan 2023, this is supported now: https://aws.amazon.com/about-aws/whats-new/2023/01/aws-app-runner-secrets-configuration-aws-secrets-systems-manager.

They've also added CDK support: https://github.com/aws/apprunner-roadmap/issues/6#issuecomment-1399768598

OLD ANSWER BELOW:

It doesn't look like it is currently supported, but is on the roadmap. See the AWS App Runner roadmap here:

https://github.com/aws/apprunner-roadmap

You can also vote for this specific feature request:

https://github.com/aws/apprunner-roadmap/issues/6

0
On

Dec. 2022: apprunner-roadmap issue 6 ("External Configuration/Secret Sources") just had two updates:

  • Hari Ohm Prasath from Amazon WebServices adds:

    The team is actively working on this feature, we will keep you updated about the progress in the upcoming weeks.

  • Andreas Donig proposes:

    Not sure whether this is a working workaround because I didn't try it, but isn't it possible to pass the secret ARN as an environment variable to the container and there use the awscli to get the secret value and do something with it, for example put it in the container command execution environment in docker-entrypoint.sh like this:

    #!/bin/bash
set -euxo pipefail
MY_SECRET_VALUE=$(aws secretsmanager get-secret-value --secret-id $MY_SECRET_ARN --query SecretString --output text)
exec env MY_VARIABLE=$MY_SECRET_VALUE "$@"

    I believe it should work as long as you have a VPC connector to a VPC with a Secrets Manager VPC endpoint and your task role allows the containers to access Secrets Manager.

1
On

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-APP-RUNNER

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.