aws-cdk-lib/aws-secretsmanager: Secret already exists in another stack

[lhincapie0]

Describe the bug

We are trying to deploy new stacks with aws-cdk referencing a secret to attach credentials to an RDS instance and we are getting the following error (only happens with new stacks):

❌ Error: The stack named new_stack_name failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: arn:aws:secretsmanager:us-east-2:<*****accountd_id*****>:secret:<*****secret_arn*****> already exists in stack arn:aws:cloudformation:us-east-2:<*****accountd_id*****>:stack/<*****existing_stack_name*****>/<*****existing_stack_id*****>

This error started happening one month ago without any changes from our side, before this we were able to deploy the same infrastructure for existing and new stacks.

The following code is getting the secret from secrets manager and attaching this secret to the RDS instance:

const dbCredentials = secretsmanager.Secret.fromSecretNameV2(stack, 'DBSecret', 'secret-name');

 const database = new rds.DatabaseInstance(stack, 'database-name', {
        credentials: rds.Credentials.fromSecret(dbCredentials),
        removalPolicy: RemovalPolicy.RETAIN,
        engine: rds.DatabaseInstanceEngine.postgres({ version: postgresVersion })
        ... 
    }
});

Expected Behavior

The database and secret attachment is created successfully

Current Behavior

The deployment of a new stack fails when it tries to create the Secret Attachment for the RDS instance

stack-name | 41/44 | 10:56:06 PM | CREATE_FAILED        | AWS::SecretsManager::SecretTargetAttachment | project-name/DBSecret/Attachment (DBSecretAttachmentC565A14F) arn:aws:secretsmanager:us-east-2:<*****accountd_id*****>:secret:<*****secret_arn*****> already exists in stack arn:aws:cloudformation:us-east-2:<*****accountd_id*****>:stack/<*****existing_stack_name*****>/<*****existing_stack_id*****>

Reproduction Steps

Described above.

Possible Solution

I tried to follow the steps described in #24383 but its still happening

Additional Information/Context

No response

CDK CLI Version

2.67.0

Framework Version

No response

Node.js Version

16.0

OS

Ubuntu

Language

Typescript

Language Version

No response

Other information

No response

[pahud]

Hi

Where is the credentials defined in rds.Credentials.fromSecret(credentials), ?

Can you share more details?

const dbCredentials = secretsmanager.Secret.fromSecretNameV2(stack, 'DBSecret', 'secret-name');

 const database = new rds.DatabaseInstance(stack, 'database-name', {
        credentials: rds.Credentials.fromSecret(credentials),
        removalPolicy: RemovalPolicy.RETAIN,
        engine: rds.DatabaseInstanceEngine.postgres({ version: postgresVersion })
        ... 
    }
});

[lhincapie0]

@pahud sorry, I just modified the description, its the one being retrieved from secrets manager:

const dbCredentials = secretsmanager.Secret.fromSecretNameV2(stack, 'DBSecret', 'secret-name');

 const database = new rds.DatabaseInstance(stack, 'database-name', {
        credentials: rds.Credentials.fromSecret(dbCredentials),
        removalPolicy: RemovalPolicy.RETAIN,
        engine: rds.DatabaseInstanceEngine.postgres({ version: postgresVersion })
        ... 
    }
});

[lhincapie0]

Any updates?

[pahud]

Secret.fromSecretNameV2() returns the ISecret that contains an ambiguous Secret ARN with -?????? suffix and is not designed to be used with services that require full ARN. In your case, if you need to import existing secret I am afraid you will need to use fromSecretAttributes() instead as it contains full ARN. We have some discussion around this at #18555 (comment)

Let me know if it works with you.

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.