Docker - How do you run stripe listen in live mode using stripe cli and a restricted api key in an ECS container?

Chris
January 19, 2024
325 views
0 votes
2 Answers

I’m trying to run the stripe cli in an AWS ECS docker container to perform

stripe listen

When I do it in test mode it appears to work fine. I suspect that it’s because you don’t need an api-key for it to run.

I created a restricted API key and put it in secret manager, assigned a role, and I know that I can get secrets at run time because the other server container is getting the secrets without a problem at run time.

I have setup a task definition. I’ll provide the json definition for the stripe container below:

{
            "name": "stripe-cli",
            "image": "stripe/stripe-cli",
            "cpu": 0,
            "portMappings": [],
            "essential": true,
            "command": [
                "listen",
                "--api-key",
                "${STRIPE_RESTRICTED_API_KEY}",
                "--forward-to",
                "https://redacted.com/api/stripe/webhook"
            ],
            "environment": [],
            "mountPoints": [],
            "volumesFrom": [],
            "secrets": [
                {
                    "name": "STRIPE_RESTRICTED_API_KEY",
                    "valueFrom": "arn:aws:secretsmanager:region:accountId:secret:secret_store_redacted:secret_name_redacted::"
                }
            ],
            "dependsOn": [
                {
                    "containerName": "redacted",
                    "condition": "HEALTHY"
                }
            ],
            "readonlyRootFilesystem": true,
            "logConfiguration": {
                "logDriver": "awslogs",
                "options": {},
                "secretOptions": []
            },
            "healthCheck": {
                "command": [
                    "CMD-SHELL",
                    "stripe version || exit 1"
                ],
                "interval": 30,
                "timeout": 5,
                "retries": 3,
                "startPeriod": 0
            }
        }

The problem is that I keep getting this error when I try to deploy the stripe cli with live mode on

"message": "For security reasons, the Stripe CLI only permits the use of restricted keys when in live mode. To generate restricted keys for use in live mode, use the stripe login command."

Am I doing something wrong? Is there another way to access the restricted API key secret from secret manager into commands?

Answers

- pgs
- January 19, 2024 at 8:10 pm
- 0 votes
0
I think the issue is there might be some live and test mode mixes here. If you’re trying to forward live mode events, you’d want to follow these steps:

1/ Create live mode restricted key in Dashboard with Stripe CLI permissions enabled

2/ Use stripe login --interactive to input restricted key created in Step 1

3/ Listen and forward the event

Login or Signup to reply.

- Quassnoi
- January 19, 2024 at 8:28 pm
- 0 votes
0
```
"command": [
                "listen",
                "--api-key",
                "${STRIPE_RESTRICTED_API_KEY}",
                "--forward-to",
                "https://redacted.com/api/stripe/webhook"
            ]
```
When you pass the arguments this way, they don’t undergo shell expansion. The literal string ${STRIPE_RESTRICTED_API_KEY} gets passed to your executable, which is of course not a valid key.

I’m not familiar with Stripe CLI, but brief googling shows this:

You can set two environment variables, which take precedence over all other values:

STRIPE_API_KEY: the API key to use for the CLI.

If it works as advertised indeed, you just need to name your environment variable STRIPE_API_KEY and omit the --api-key argument.

For the shell expansion to work, you’ll need to invoke an actual shell:
```
"command": ["/bin/sh", "-c", "stripe listen --api-key "$STRIPE_RESTRICTED_API_KEY" --forward-to https://redacted.com/api/stripe/webhook"]
```
Login or Signup to reply.