From 6856742eca5ddcdc62a76a20d530bff695fdbc35 Mon Sep 17 00:00:00 2001 From: Justin Dell Date: Mon, 21 Oct 2024 09:19:06 -0500 Subject: [PATCH] add secrets adapter for aws secrets manager --- .../secrets/adapters/aws_secretsmanager.rb | 25 ++++++ .../aws_secretsmanager_adapter_test.rb | 87 +++++++++++++++++++ 2 files changed, 112 insertions(+) create mode 100644 lib/kamal/secrets/adapters/aws_secretsmanager.rb create mode 100644 test/secrets/aws_secretsmanager_adapter_test.rb diff --git a/lib/kamal/secrets/adapters/aws_secretsmanager.rb b/lib/kamal/secrets/adapters/aws_secretsmanager.rb new file mode 100644 index 00000000..8d6f2ead --- /dev/null +++ b/lib/kamal/secrets/adapters/aws_secretsmanager.rb @@ -0,0 +1,25 @@ +class Kamal::Secrets::Adapters::AwsSecretsmanager < Kamal::Secrets::Adapters::Base + private + def login(_account) + nil + end + + def fetch_secrets(secrets, account:, session:) + {}.tap do |results| + JSON.parse(get_from_secrets_manager(secrets, account: account))["SecretValues"].each do |secret| + secret_name = secret["Name"] + secret_string = JSON.parse(secret["SecretString"]) + + secret_string.each do |key, value| + results["#{secret_name}/#{key}"] = value + end + end + end + end + + def get_from_secrets_manager(secrets, account:) + `aws secretsmanager batch-get-secret-value --secret-id-list #{secrets.map(&:shellescape).join(" ")} --profile #{account}`.tap do + raise RuntimeError, "Could not read #{secret} from AWS Secrets Manager" unless $?.success? + end + end +end diff --git a/test/secrets/aws_secretsmanager_adapter_test.rb b/test/secrets/aws_secretsmanager_adapter_test.rb new file mode 100644 index 00000000..26952034 --- /dev/null +++ b/test/secrets/aws_secretsmanager_adapter_test.rb @@ -0,0 +1,87 @@ +require "test_helper" + +class AwsSecretsmanagerAdapterTest < SecretAdapterTestCase + test "fetch" do + stub_ticks + .with("aws secretsmanager batch-get-secret-value --secret-id-list secret/KEY1 secret/KEY2 secret2/KEY3 --profile default") + .returns(<<~JSON) + { + "SecretValues": [ + { + "ARN": "arn:aws:secretsmanager:us-east-1:aaaaaaaaaaaa:secret:secret", + "Name": "secret", + "VersionId": "vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv", + "SecretString": "{\\"KEY1\\":\\"VALUE1\\", \\"KEY2\\":\\"VALUE2\\"}", + "VersionStages": [ + "AWSCURRENT" + ], + "CreatedDate": "2024-01-01T00:00:00.000000" + }, + { + "ARN": "arn:aws:secretsmanager:us-east-1:aaaaaaaaaaaa:secret:secret2", + "Name": "secret2", + "VersionId": "vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv", + "SecretString": "{\\"KEY3\\":\\"VALUE3\\"}", + "VersionStages": [ + "AWSCURRENT" + ], + "CreatedDate": "2024-01-01T00:00:00.000000" + } + ], + "Errors": [] + } + JSON + + json = JSON.parse(shellunescape(run_command("fetch", "secret/KEY1", "secret/KEY2", "secret2/KEY3"))) + + expected_json = { + "secret/KEY1"=>"VALUE1", + "secret/KEY2"=>"VALUE2", + "secret2/KEY3"=>"VALUE3" + } + + assert_equal expected_json, json + end + + test "fetch with secret names" do + stub_ticks + .with("aws secretsmanager batch-get-secret-value --secret-id-list secret/KEY1 secret/KEY2 --profile default") + .returns(<<~JSON) + { + "SecretValues": [ + { + "ARN": "arn:aws:secretsmanager:us-east-1:aaaaaaaaaaaa:secret:secret", + "Name": "secret", + "VersionId": "vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv", + "SecretString": "{\\"KEY1\\":\\"VALUE1\\", \\"KEY2\\":\\"VALUE2\\"}", + "VersionStages": [ + "AWSCURRENT" + ], + "CreatedDate": "2024-01-01T00:00:00.000000" + } + ], + "Errors": [] + } + JSON + + json = JSON.parse(shellunescape(run_command("fetch", "--from", "secret", "KEY1", "KEY2"))) + + expected_json = { + "secret/KEY1"=>"VALUE1", + "secret/KEY2"=>"VALUE2" + } + + assert_equal expected_json, json + end + + private + def run_command(*command) + stdouted do + Kamal::Cli::Secrets.start \ + [ *command, + "-c", "test/fixtures/deploy_with_accessories.yml", + "--adapter", "aws_secretsmanager", + "--account", "default" ] + end + end +end