Applies to
- Liquibase Pro
Conditions
- Using AWS Secrets Manager
Issue Summary
The AWS Secrets Manager extension in Liquibase allows users to retrieve secrets from AWS Secrets Manager. Customers may encounter issues such as connection errors, secret retrieval failures, or misconfigurations when using this extension.
Example Error Messages
Error parsing command line: User: arn:aws:iam::xxxxxxxxxxxxx:user/xxx is not authorized to perform: secretsmanager:GetSecretValue on resource: liquibase-secret-license because no identity-based policy allows the secretsmanager:GetSecretValue action (Service: SecretsManager, Status Code: 400, Request ID: xxx)
Potential Root Causes
Potential root causes include:
-
Incorrect AWS IAM permissions.
- The secret does not exist or has an incorrect name in AWS Secrets Manager.
- Misconfigured Liquibase or AWS properties file.
-
Issues with the AWS Secrets Manager API or network connectivity.
Troubleshooting
Step 1: Verify AWS Information
Ensure the IAM role or user associated with Liquibase has the necessary permissions. For example, the user or role should have the "GetSecretValue" permission. Users assuming a role should have the necessary permissions to assume roles.
Additionally, confirm that the secret exists and has the correct name. Check if the secret value is formatted correctly for Liquibase to use.
Step 2: Check Liquibase Properties Configuration
Verify that the Liquibase properties file includes the correct secret key, region, and other configurations for AWS Secrets Manager. Ensure there are no typos or missing properties.
Example /.aws/config
[default]
region = us-east-1
output = json
role_arn = arn:aws:iam::xxx:role/username/role
source_profile = default
Example /.aws/credentials
[default]
aws_access_key_id=xxx
aws_secret_access_key=xxx
Resolving Known Issues when Connecting Using Roles
In older versions of Liquibase Pro, the AWS Secrets Manager Extension did not support connecting via roles. This was corrected in version 1.0.6. You will need to install version 1.0.6 or higher to connect via roles with the AWS Secrets Manager Extension.
Verify Using the AWS CLI
If you are still unable to retrieve the necessary secret using Liquibase, utilize the AWS CLI to confirm that your AWS configuration is valid and that your user or role has the necessary permissions by running get-secret-value using the AWS CLI. This will use all your existing configurations to retrieve the specified secret without Liquibase as part of the equation and help you confirm if your issue is isolated to Liquibase.
Step 3: Test Network Connectivity
Ensure that the Liquibase instance can connect to the AWS Secrets Manager endpoint (secretsmanager.<region>.amazonaws.com). Use tools like ping or curl to test connectivity and address any firewall or network issues.
Refer to AWS documentation for further troubleshooting.
Comments
0 comments
Article is closed for comments.