Debugging AWS Secrets Manager integration


Hi, Concourse team!

I am attempting to deploy to AWS and have run into an issue with the Secrets Manager integration. I am attempting to use the IAM role which I deployed the web instances with (and worker for that matter, though the worker does not accept the configuration keys).

Since I am relying on the instance information to provide the key ID and secret, the only parameter appears to be the region-- I do include --aws-secretsmanager-region {{aws_region}} in my exec command to the service (I am using the binaries.)

The result is log lines like this:

Apr 15 18:53:29 ip-10-0-4-75.ec2.internal concourseci[30636]: {"timestamp":"2019-04-15T18:53:29.100088899Z","level":"info","source":"atc","message":"atc.credential-manager.configured credentials manager","data":{"name":"secretsmanager","session":"8"}}
Apr 15 18:53:29 ip-10-0-4-75.ec2.internal concourseci[30636]: {"timestamp":"2019-04-15T18:53:29.100778490Z","level":"info","source":"atc","message":"atc.credential-manager.configured credentials manager","data":{"name":"secretsmanager","session":"17"}}

That looks OK to me!

I’m adapting the pipeline from the Stark and Wayne tutorials, and receive an error like the following:

Apr 15 18:54:29 ip-10-0-4-75.ec2.internal concourseci[30636]: {"timestamp":"2019-04-15T18:54:29.136027204Z","level":"error","source":"atc","message":"atc.credential-manager.get-secret","data":{"error":"NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors","name":"secretsmanager","secret":"git_passwd","secretId":"/concourse/main/publishing-outputs/git_passwd","session":"17","template":"pipeline-secret-template"}}

The resource looks like this:

- name: resource-gist
  type: git
    branch: master
    uri: [REDACTED]
    username: concourse
    password: ((git_passwd))

I can verify that the secret is placed where it’s looked for-- how can I tell which direction to send my debugging from here?



It was, of course, an issue with the IAM role I had assigned. In a similar situation, check your ability to use the aws command at the instance command line.