From ba567e0474e77450e54267ac6237c7ae907bc19d Mon Sep 17 00:00:00 2001
From: Nick Hammond <nick@nickhammond.com>
Date: Thu, 12 Dec 2024 05:09:12 -0700
Subject: [PATCH] Just map the secrets returned from AWS

---
 .../secrets/adapters/aws_secrets_manager.rb      | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/lib/kamal/secrets/adapters/aws_secrets_manager.rb b/lib/kamal/secrets/adapters/aws_secrets_manager.rb
index e3f54687..c9314ca5 100644
--- a/lib/kamal/secrets/adapters/aws_secrets_manager.rb
+++ b/lib/kamal/secrets/adapters/aws_secrets_manager.rb
@@ -6,15 +6,7 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba
 
     def fetch_secrets(secrets, account:, session:)
       {}.tap do |results|
-        secrets = JSON.parse(get_from_secrets_manager(secrets, account: account))
-
-        if secrets["Errors"].present?
-          first_error = secrets["Errors"].first
-
-          raise RuntimeError, "#{first_error['SecretId']}: #{first_error['Message']}"
-        end
-
-        secrets["SecretValues"].each do |secret|
+        get_from_secrets_manager(secrets, account: account).each do |secret|
           secret_name = secret["Name"]
           secret_string = JSON.parse(secret["SecretString"])
 
@@ -30,6 +22,12 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba
     def get_from_secrets_manager(secrets, account:)
       `aws secretsmanager batch-get-secret-value --secret-id-list #{secrets.map(&:shellescape).join(" ")} --profile #{account.shellescape}`.tap do |secrets|
         raise RuntimeError, "Could not read #{secrets} from AWS Secrets Manager" unless $?.success?
+
+        secrets = JSON.parse(secrets)
+
+        return secrets["SecretValues"] unless secrets["Errors"].present?
+
+        raise RuntimeError, secrets["Errors"].map { |error| "#{error['SecretId']}: #{error['Message']}" }.join(", ")
       end
     end