Getting "Could not find a value associated with JSONKey in SecretString" after updating secret

[39otrebla]

Description

Our SAM template references some secrets, as follow:

FOO_VAR: {{resolve:secretsmanager:FOO_SECRET:SecretString:foo}}

This morning we added a new key in the secret FOO (from console), and we wanted to update our SAM application to use this new key. Also, we removed an unused key. Though, stack deployment fails with the following error:

Could not find a value associated with JSONKey in SecretString

Steps to reproduce

1. Create a Secret in SecretManager from AWS Console (FOO_SECRET) and put one key/value in the secret (foo:bar)
2. Create a stack using SAM application default template
3. Within the template, reference the secret key created in step 1 as follow: {{resolve:secretsmanager:FOO_SECRET:SecretString:foo}}
4. Deploy your stack
5. Go in SecretsManager from the AWS Console and edit FOO_SECRET adding the following key: willFail: true and removing the old one (foo)
6. Within the template, remove the reference to foo and add the reference to the newly created secret key from step 5, as follow: {{resolve:secretsmanager:FOO_SECRET:SecretString:willFail}}
7. Deploy your stack

Observed result

You'll get Could not find a value associated with JSONKey in SecretString, that (presumably) means that CloudFormation is trying to resolve foo which doesn't exist anymore.

Expected result

Deployment should work as no more references to foo exist in the template.

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

1. OS: Mac OS 10.15.5
2. sam --version: SAM CLI, version 0.53.0

[BenBraunstein]

I am facing a similar issue. Had a deployed stack with two keys I then added a prefix to those keys and added two additional keys

Stack fails with Could not find a value associated with JSONKey in SecretString

A workaround is to temporarily add the old key back, it doesn't matter what the value is, the key just needs to be there for the stack to update successfully.

[aliabas7]

This is happening with regular CFN templates too, Ben's workaround helps but majorly frustrating for large teams where figuring out the removed key(s) isn't so hassle free.

[arturocanalda]

Facing the same issue here.

Merged development into staging and deployed. The keys exist. Once again I will have to look for a workaround (the one mentioned above does not work for me).

[arturocanalda]

Found the problem. It was on my secret key. From the console I could clearly see my keys there in the "Secret/Key" tab. So far, so good. When I switched to the "Plaintext" view, this is what I found:

{
  "MAILCHIMP_LIST_ID\t": "****"
}

(*) Notice that beautiful and invisible \t

[seanhines]

I am facing a similar issue. Had a deployed stack with two keys I then added a prefix to those keys and added two additional keys

Stack fails with Could not find a value associated with JSONKey in SecretString

A workaround is to temporarily add the old key back, it doesn't matter what the value is, the key just needs to be there for the stack to update successfully.

This workaround fixed the issue for me, I even tried having the cloudformation template not access the secrets manager at all and it still threw this error which is just brutal.

[sparky005]

This bug burned my entire day yesterday. The workaround also fixed the issue for me.

[zessx]

In my understanding, it's not a bug at all, regarding the fact that stack updates requires CloudFormation models comparison. At first glance it can be quite surprising, mostly because we'll face this during some tests. But why would you want to delete a Secret Key STILL USED by the current stack? If you're facing this error it's either because you have a misconstructed Secret, or because you prematurely deleted an used key.

The right way to do it is:

• Add new Secret keys or change values if needed
• Run your update
• Remove now unused Secret keys

If you have issue finding which keys were deleted, you can check your current CloudFormation stack model in AWS Console, and search for resolve:secretsmanager: occurrences (also check the Secret ARN if you're renamed a whole Secret)

[eran-medan]

Found the problem. It was on my secret key. From the console I could clearly see my keys there in the "Secret/Key" tab. So far, so good. When I switched to the "Plaintext" view, this is what I found:

{
  "MAILCHIMP_LIST_ID\t": "****"
}

(*) Notice that beautiful and invisible \t

You are a life saver.

[milenkobrkovic]

Found the problem. It was on my secret key. From the console I could clearly see my keys there in the "Secret/Key" tab. So far, so good. When I switched to the "Plaintext" view, this is what I found:

{
  "MAILCHIMP_LIST_ID\t": "****"
}

(*) Notice that beautiful and invisible \t

Thanks a lot men!!! You're a life saver indeed! :)

[etaroid]

A workaround is to temporarily add the old key back, it doesn't matter what the value is, the key just needs to be there for the stack to update successfully.

If I forget the Secrets key I had previously set, how do I get around this error?

[RabeaWahab]

A workaround is to temporarily add the old key back, it doesn't matter what the value is, the key just needs to be there for the stack to update successfully.

If I forget the Secrets key I had previously set, how do I get around this error?

Had the same scenario, I didnt know which old secret it was complaining about, I looked into the CloudFormation template generated for that stack and found the name of it, added it temporarily, ran the deployment, removed it again 👍

[frvalenzuela]

I had the same problem. I tried evey solution of this post and nothing work. Finally I need to delete the stack and create again to be solved.