Config option `db_aws_secret_name` only works if the secret is in `us-west-2`
Closed this issue · 2 comments
I'm unable to use an aws secret for my redun db credentials, unless the secret is stored in the us-west-2
region.
In my .redun
file:
[backend]
db_aws_secret_name = my_redun_secret
Then, on the commandline:
$ redun db info
Traceback (most recent call last):
File "***/bin/redun", line 11, in <module>
client.execute()
File "***/lib/python3.7/site-packages/redun/cli.py", line 1021, in execute
return args.func(args, extra_args, argv)
File "***/lib/python3.7/site-packages/redun/cli.py", line 2602, in db_info_command
backend = setup_backend_db(args.config, args.repo)
File "***/lib/python3.7/site-packages/redun/cli.py", line 705, in setup_backend_db
return RedunBackendDb(config=backend_config)
File "***/lib/python3.7/site-packages/redun/backends/db/__init__.py", line 1047, in __init__
self.db_uri: str = RedunBackendDb._get_uri(db_uri, config)
File "***/lib/python3.7/site-packages/redun/backends/db/__init__.py", line 2324, in _get_uri
return RedunBackendDb._get_uri_from_secret(db_aws_secret_name)
File "***/lib/python3.7/site-packages/redun/backends/db/__init__.py", line 2354, in _get_uri_from_secret
get_secret_value_response = client.get_secret_value(SecretId=secret_name)
File "***/lib/python3.7/site-packages/botocore/client.py", line 391, in _api_call
return self._make_api_call(operation_name, kwargs)
File "***/lib/python3.7/site-packages/botocore/client.py", line 719, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: *** is not authorized to perform: secretsmanager:GetSecretValue on resource: my_redun_secret because no identity-based policy allows the secretsmanager:GetSecretValue action
I think the fix will involve checking for a region config variable before creating the aws client to lookup the secret.
I am able to work around this by using db_uri
, db_username_env
and db_password_env
instead.
Cheers!
Thanks for the report and great suggestion! We've got a fix for this in the works that should make it into the next release
We have fixed this in redun==0.8.6
, which we recently released. redun CLI now consults the usual environment variable AWS_REGION
when using the configuration option db_aws_secret_name
to fetch the db secret from AWS Secrets Manager. We previously were using a hardcoded default region.
Feel free to reopen this if the issue does not seem resolved. Thanks again for submitting the issue.