Debugging AWS Secrets Manager Credentials using Localstack

Image by Takeshi Hirano via Pixabay

During the last few days, I had a tough time debugging. My service did not want to startup because of missing credentials.

I tried different things. But I did not find out why the service failed.

In the end, I used localstack to debug the behaviour on my machine.

localstack inside docker

I had written about localstack in some blog posts before; see Testing with SNS/SQS using Localstack in Docker.

Localstack↗ (Github↗) is a service for faking Amazon AWS services for testing.

You do not need to install it on your machine; there is a docker image available on Docker Hub↗.

The easiest way to consume it: Use the provided docker-compose.yml. You just need to specify which service you want to use:

SERVICES=secretsmanager

Putting things together:

    version: "3.8"
    
    services:
      localstack:
        container_name: "${LOCALSTACK_DOCKER_NAME-localstack_main}"
        image: localstack/localstack
        ports:
          - "127.0.0.1:4566:4566"            # LocalStack Gateway
          - "127.0.0.1:4510-4559:4510-4559"  # external services port range
        environment:
          - DEBUG=1
          - SERVICES=secretsmanager
          - LAMBDA_EXECUTOR=${LAMBDA_EXECUTOR-}
          - DOCKER_HOST=unix:///var/run/docker.sock
        volumes:
          - "${LOCALSTACK_VOLUME_DIR:-./volume}:/var/lib/localstack"
          - "/var/run/docker.sock:/var/run/docker.sock"

How to setup the credentials

configure aws profile

In recent versions, localstack only plays well when using the us-east-1 region:

~./aws/config

[profile localstack]
region = us-east-1

Localstack does not evaluate credentials, so you can just set some dummy values:

~./aws/credentials

[localstack]
aws_access_key=dummy
aws_secret_access_key=dummy

create/save/read credentials using awscli

sample requests:

aws secretsmanager create-secret --endpoint-url=http://localhost:4566 --profile localstack --name my-secret-name

aws secretsmanager put-secret-value --endpoint-url=http://localhost:4566 --profile localstack --secret-id my-secret-name '{"key":"value"}'

aws secretsmanager get-secret-value --endpoint-url=http://localhost:4566 --profile localstack --secret-id my-secret-name 

As an alternative, you could also use awslocal, but I prefer using the endpoint parameter.

configure java

When using java to access the credentials, you should make sure that it connects to localstack:

Java VM Options: -Daws.secretsmanager.endpoint=http://localhost:4566 -Daws.accessKeyId=dummy -Daws.secretKey=dummy -Daws.region=us-east-1

Environment:

AWS_PROFILE=localstack

Happy Testing/Debugging!

more…

about localstack and docker:

• Three obstacles when testing lambdas with testcontainers and localstack
• Testing with SNS/SQS using Localstack in Docker

legal notice

Amazon AWS is a trademarks↗ of Amazon.com

Any comments or suggestions? Leave an issue or a pull request!