Terraform 'aws_secretsmanager_secret' pass arn error: Invalid template interpolation value

Question

Terraform 'aws_secretsmanager_secret' pass arn error: Invalid template interpolation value

1.1k Views Asked by wawawa At 31 October 2025 at 12:04

I have a Lambda which will read a secret from Secret Manager, they all managed by Terraform. So in Terraform I have a definition for this secret:

resource "aws_secretsmanager_secret" "example" {
  name = "example"
}

and for Lambda, I have attached a permission to get the secret:

resource "aws_iam_role_policy" "example_role_policy" {
  name   = "example-role-policy"
  role   = aws_iam_role.example_lambda_role.id
  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
.....(other needed permissions)
    },
    {
      "Sid": "GetDatabaseSecret",
      "Effect":"Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": "${local.secret_arn}"
    }
  ]
}
POLICY
}

I have secret_arn defined in variables:

locals{

secret_arn = "arn:aws:secretsmanager:::us-east-1:${local.account_number}:secret:${aws_secretsmanager_secret.example}-*"

}

When I apply Terraform, it gave me error:

Error: Invalid template interpolation value

  on ..\..\xxx\terraform\variables.tf line 39, in locals:
  39:   secret_arn = "arn:aws:secretsmanager:::us-east-1:${local.account_number}:secret:${aws_secretsmanager_secret.example}-*"
    |----------------
    | aws_secretsmanager_secret.example is object with 12 attributes

Cannot include the given value in a string template: string required.

I tried to replae *with ?????? in the secrect_arn but still not working, couldn't find anything useful online, might someone be able to help? Many thanks.

Original Q&A

There are 2 best solutions below

OpenBSDNinja On 01 March 2021 at 11:57

I could be wrong, but I think you're overthinking it. Try this:

secret_arn = aws_secretsmanager_secret.example.arn

Remember you're setting the account ID and region when you setup the AWS provider with:

provider "aws" {
  alias   = "ireland" # Your is in america but you get what I mean :)
  version = "2.70.0"
  region  = "eu-west-1"
...

**Marcin** · Accepted Answer

Your local.secret_arn should be using ${aws_secretsmanager_secret.example.name}-*", not ${aws_secretsmanager_secret.example}-*".

But the easiest way to get the arn in your policy it would be simply:

resource "aws_iam_role_policy" "example_role_policy" {
  name   = "example-role-policy"
  role   = aws_iam_role.example_lambda_role.id
  policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
.....(other needed permissions)
    },
    {
      "Sid": "GetDatabaseSecret",
      "Effect":"Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": "${aws_secretsmanager_secret.example.arn}"
    }
  ]
}
POLICY
}

Terraform 'aws_secretsmanager_secret' pass arn error: Invalid template interpolation value

There are 2 best solutions below

Related Questions in AMAZON-WEB-SERVICES

Related Questions in LAMBDA

Related Questions in TERRAFORM

Related Questions in TERRAFORM-PROVIDER-AWS

Related Questions in SECRET-MANAGER

Trending Questions

Popular # Hahtags

Popular Questions