I'm trying to use a secret in the cfn-init
of a EC2 instance in CloudFormation. Based on Secrets Manager Secrets it should not be difficult but what I'm trying is to use it as part of the command, in my case:
01_login_in_docker:
command: !Join
- ' '
- - 'docker login -u '
- '{{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_USERNAME}} '
- '-p '
- '{{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_PASSWORD}} '
- 'cloud.canister.io:5000'
docker-info
is a secret stored in my account and therefore I supposedly only need the name to access to the keys, not the ARN.
Reviewing cfn-init.log
I see that CF is not resolving anything:
[ERROR] Command 01_login_in_docker (docker login -u {{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_USERNAME}} -p {{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_PASSWORD}} cloud.canister.io:5000) failed
Has anyone tried something similar or could spot where is my problem?
It's not explicitly mentioned, but all the examples use dynamic references as a whole value and not as part of another string. So maybe try passing those as environment variables. It should be a bit more secure too as the logs won't contain the password in the command.
01_login_in_docker:
command: |
docker login -u "$DOCKER_ACCOUNT_USERNAME" -p "$DOCKER_ACCOUNT_PASSWORD" cloud.canister.io:5000
env:
DOCKER_ACCOUNT_USERNAME: '{{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_USERNAME}}'
DOCKER_ACCOUNT_PASSWORD: '{{resolve:secretsmanager:docker-info:SecretString:DOCKER_ACCOUNT_PASSWORD}}'
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.