From 0b28a54518f7eb0b5c57ebacc5b7c05414e8964a Mon Sep 17 00:00:00 2001 From: Ali Ismayilov <993934+aliismayilov@users.noreply.github.com> Date: Wed, 2 Apr 2025 18:12:14 +0200 Subject: [PATCH] Enforce JSON output format for aws command --- lib/kamal/secrets/adapters/aws_secrets_manager.rb | 1 + test/secrets/aws_secrets_manager_adapter_test.rb | 10 +++++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/lib/kamal/secrets/adapters/aws_secrets_manager.rb b/lib/kamal/secrets/adapters/aws_secrets_manager.rb index d37b4246..27d413ed 100644 --- a/lib/kamal/secrets/adapters/aws_secrets_manager.rb +++ b/lib/kamal/secrets/adapters/aws_secrets_manager.rb @@ -26,6 +26,7 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba def get_from_secrets_manager(secrets, account: nil) args = [ "aws", "secretsmanager", "batch-get-secret-value", "--secret-id-list" ] + secrets.map(&:shellescape) args += [ "--profile", account.shellescape ] if account + args += [ "--output", "json" ] cmd = args.join(" ") `#{cmd}`.tap do |secrets| diff --git a/test/secrets/aws_secrets_manager_adapter_test.rb b/test/secrets/aws_secrets_manager_adapter_test.rb index 00f3de08..0ba9c35e 100644 --- a/test/secrets/aws_secrets_manager_adapter_test.rb +++ b/test/secrets/aws_secrets_manager_adapter_test.rb @@ -4,7 +4,7 @@ class AwsSecretsManagerAdapterTest < SecretAdapterTestCase test "fails when errors are present" do stub_ticks.with("aws --version 2> /dev/null") stub_ticks - .with("aws secretsmanager batch-get-secret-value --secret-id-list unknown1 unknown2 --profile default") + .with("aws secretsmanager batch-get-secret-value --secret-id-list unknown1 unknown2 --profile default --output json") .returns(<<~JSON) { "SecretValues": [], @@ -33,7 +33,7 @@ class AwsSecretsManagerAdapterTest < SecretAdapterTestCase test "fetch" do stub_ticks.with("aws --version 2> /dev/null") stub_ticks - .with("aws secretsmanager batch-get-secret-value --secret-id-list secret/KEY1 secret/KEY2 secret2/KEY3 --profile default") + .with("aws secretsmanager batch-get-secret-value --secret-id-list secret/KEY1 secret/KEY2 secret2/KEY3 --profile default --output json") .returns(<<~JSON) { "SecretValues": [ @@ -76,7 +76,7 @@ class AwsSecretsManagerAdapterTest < SecretAdapterTestCase test "fetch with string value" do stub_ticks.with("aws --version 2> /dev/null") stub_ticks - .with("aws secretsmanager batch-get-secret-value --secret-id-list secret secret2/KEY1 --profile default") + .with("aws secretsmanager batch-get-secret-value --secret-id-list secret secret2/KEY1 --profile default --output json") .returns(<<~JSON) { "SecretValues": [ @@ -118,7 +118,7 @@ class AwsSecretsManagerAdapterTest < SecretAdapterTestCase test "fetch with secret names" do stub_ticks.with("aws --version 2> /dev/null") stub_ticks - .with("aws secretsmanager batch-get-secret-value --secret-id-list secret/KEY1 secret/KEY2 --profile default") + .with("aws secretsmanager batch-get-secret-value --secret-id-list secret/KEY1 secret/KEY2 --profile default --output json") .returns(<<~JSON) { "SecretValues": [ @@ -159,7 +159,7 @@ class AwsSecretsManagerAdapterTest < SecretAdapterTestCase test "fetch without account option omits --profile" do stub_ticks.with("aws --version 2> /dev/null") stub_ticks - .with("aws secretsmanager batch-get-secret-value --secret-id-list secret/KEY1 secret/KEY2") + .with("aws secretsmanager batch-get-secret-value --secret-id-list secret/KEY1 secret/KEY2 --output json") .returns(<<~JSON) { "SecretValues": [