Config option `db_aws_secret_name` only works if the secret is in `us-west-2`

Question

Config option `db_aws_secret_name` only works if the secret is in `us-west-2`

Closed this issue 2 years ago · 2 comments

I'm unable to use an aws secret for my redun db credentials, unless the secret is stored in the us-west-2 region.

In my .redun file:

[backend]
db_aws_secret_name = my_redun_secret

Then, on the commandline:

$ redun db info
Traceback (most recent call last):
  File "***/bin/redun", line 11, in <module>
    client.execute()
  File "***/lib/python3.7/site-packages/redun/cli.py", line 1021, in execute
    return args.func(args, extra_args, argv)
  File "***/lib/python3.7/site-packages/redun/cli.py", line 2602, in db_info_command
    backend = setup_backend_db(args.config, args.repo)
  File "***/lib/python3.7/site-packages/redun/cli.py", line 705, in setup_backend_db
    return RedunBackendDb(config=backend_config)
  File "***/lib/python3.7/site-packages/redun/backends/db/__init__.py", line 1047, in __init__
    self.db_uri: str = RedunBackendDb._get_uri(db_uri, config)
  File "***/lib/python3.7/site-packages/redun/backends/db/__init__.py", line 2324, in _get_uri
    return RedunBackendDb._get_uri_from_secret(db_aws_secret_name)
  File "***/lib/python3.7/site-packages/redun/backends/db/__init__.py", line 2354, in _get_uri_from_secret
    get_secret_value_response = client.get_secret_value(SecretId=secret_name)
  File "***/lib/python3.7/site-packages/botocore/client.py", line 391, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "***/lib/python3.7/site-packages/botocore/client.py", line 719, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: *** is not authorized to perform: secretsmanager:GetSecretValue on resource: my_redun_secret because no identity-based policy allows the secretsmanager:GetSecretValue action

I think the fix will involve checking for a region config variable before creating the aws client to lookup the secret.

I am able to work around this by using db_uri, db_username_env and db_password_env instead.

Cheers!

Answer 1 · 2022-01-20T22:03:14.000Z

Thanks for the report and great suggestion! We've got a fix for this in the works that should make it into the next release

Answer 2 · 2022-02-20T16:05:59.000Z

We have fixed this in redun==0.8.6, which we recently released. redun CLI now consults the usual environment variable AWS_REGION when using the configuration option db_aws_secret_name to fetch the db secret from AWS Secrets Manager. We previously were using a hardcoded default region.

Feel free to reopen this if the issue does not seem resolved. Thanks again for submitting the issue.