GetSecretValue IAM permission for acl-controller #135
Description
Module: acl-controller
Regarding secrets, currently the module has the following input variables:
- consul_bootstrap_token_secret_arn
- consul_server_ca_cert_arn
The module then creates IAM permissions to the GetSecretValue action. Normally this works fine with secret ARNs that only contain a single value such as:
arn:aws:secretsmanager:<region>:<aws_account_id>:secret:<secret_name>
But when a secret with a JSON structure is used, then the ARN in the ECS task definition becomes:
arn:aws:secretsmanager:region:aws_account_id:secret:secret-name:json-key:version-stage:version-id
Unfortunately the IAM permission fails (does not apply) when this type of secret ARN is used and the acl-controller fails to start because its unable to retrieve the secret value.
I was able to confirm this by manually updating the IAM policy by removing the :json-key:version-stage:version-id suffix and the acl-controller was then able to start successfully.
How would it be possible to use secrets with ARNs that specify a JSON key?