Set Secret with Key in AWS Fargate Task from SecretsManager with CDK .NET

Question

I've generated a secret in AWS with two key/value pairs. I now want to set my Fargate Task in CDK with both these secrets as Env Variables. I've been through the documentation and am following these two documents:

Using Secrets Manager to secure sensitive data and Get a value from AWS Secrets Manager

I'm setting the secrets like so:

TaskImageOptions = new ApplicationLoadBalancedTaskImageOptions
{
    ContainerName = "Container name",
    Image = (...),
    Secrets = new Dictionary<string, Amazon.CDK.AWS.ECS.Secret>
    {
        {"ENV_KEY_1", Amazon.CDK.AWS.ECS.Secret.FromSecretsManager(Secret.FromSecretCompleteArn(this, "secret-name-1", "full-arn-1"))},
        {"ENV_KEY_2", Amazon.CDK.AWS.ECS.Secret.FromSecretsManager(Secret.FromSecretCompleteArn(this, "secret-name-2", "full-arn-2"))}
    }
}

According to the documentation (second link), to set a specific key on a secret, I should use something like the following:

{
  "containerDefinitions": [{
    "secrets": [{
      "name": "environment_variable_name",
      "valueFrom": "arn:aws:secretsmanager:region:aws_account_id:secret:appauthexample-AbCdEf:username1::"
    }]
  }]
}

However, the Secret.FromSecretCompleteArn does not support this. It expects only the full arn up to the 6 random characters, and it fails if I add the key (or version).

I found no way of getting this key to be set. I tried: Secret.FromNameV2 , Secret.FromSecretPartialArn and Secret.FromAttributes .

Answer 1

First of all, FromSecretsManagerVersion requires version information via the required VersionInfo argument, which you're not providing. If you don't need it, use FromSecretsManager .

As to your question, both of the methods above have a Field argument that do exactly what you want - select a field from a JSON object.

Documentation reference: https://constructs.dev/packages/aws-cdk-lib/v/2.43.0/api/Secret?lang=dotnet&submodule=aws_ecs#fromSecretsManager