From d710b5a22bf40da1952dfb36a6d775096645964d Mon Sep 17 00:00:00 2001
From: Neil Johari <neil@johari.tech>
Date: Sun, 2 Feb 2025 23:43:51 -0800
Subject: [PATCH 1/5] Allow ommitting AWS account while fetching secrets

---
 .../secrets/adapters/aws_secrets_manager.rb   | 19 +++++---
 .../aws_secrets_manager_adapter_test.rb       | 43 ++++++++++++++++---
 2 files changed, 51 insertions(+), 11 deletions(-)

diff --git a/lib/kamal/secrets/adapters/aws_secrets_manager.rb b/lib/kamal/secrets/adapters/aws_secrets_manager.rb
index 48add1ac..bd81c754 100644
--- a/lib/kamal/secrets/adapters/aws_secrets_manager.rb
+++ b/lib/kamal/secrets/adapters/aws_secrets_manager.rb
@@ -1,15 +1,18 @@
 class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Base
+  def requires_account?
+    false
+  end
+
   private
     def login(_account)
       nil
     end
 
-    def fetch_secrets(secrets, from:, account:, session:)
+    def fetch_secrets(secrets, from:, account: nil, session:)
       {}.tap do |results|
         get_from_secrets_manager(prefixed_secrets(secrets, from: from), account: account).each do |secret|
           secret_name = secret["Name"]
           secret_string = JSON.parse(secret["SecretString"])
-
           secret_string.each do |key, value|
             results["#{secret_name}/#{key}"] = value
           end
@@ -19,8 +22,14 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba
       end
     end
 
-    def get_from_secrets_manager(secrets, account:)
-      `aws secretsmanager batch-get-secret-value --secret-id-list #{secrets.map(&:shellescape).join(" ")} --profile #{account.shellescape}`.tap do |secrets|
+    def get_from_secrets_manager(secrets, account: nil)
+      profile_opt = account ? "--profile #{account.shellescape}" : ""
+
+      args = [ "aws", "secretsmanager", "batch-get-secret-value", "--secret-id-list" ] + secrets.map(&:shellescape)
+      args += [ "--profile", account.shellescape ] if account
+      cmd = args.join(" ")
+
+      `#{cmd}`.tap do |secrets|
         raise RuntimeError, "Could not read #{secrets} from AWS Secrets Manager" unless $?.success?
 
         secrets = JSON.parse(secrets)
@@ -39,4 +48,4 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba
       `aws --version 2> /dev/null`
       $?.success?
     end
-end
+end
\ No newline at end of file
diff --git a/test/secrets/aws_secrets_manager_adapter_test.rb b/test/secrets/aws_secrets_manager_adapter_test.rb
index 7616342d..00f3de08 100644
--- a/test/secrets/aws_secrets_manager_adapter_test.rb
+++ b/test/secrets/aws_secrets_manager_adapter_test.rb
@@ -156,14 +156,45 @@ class AwsSecretsManagerAdapterTest < SecretAdapterTestCase
     assert_equal "AWS CLI is not installed", error.message
   end
 
+  test "fetch without account option omits --profile" do
+    stub_ticks.with("aws --version 2> /dev/null")
+    stub_ticks
+      .with("aws secretsmanager batch-get-secret-value --secret-id-list secret/KEY1 secret/KEY2")
+      .returns(<<~JSON)
+        {
+          "SecretValues": [
+            {
+              "ARN": "arn:aws:secretsmanager:us-east-1:aaaaaaaaaaaa:secret:secret",
+              "Name": "secret",
+              "VersionId": "vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv",
+              "SecretString": "{\\"KEY1\\":\\"VALUE1\\", \\"KEY2\\":\\"VALUE2\\"}",
+              "VersionStages": [
+                  "AWSCURRENT"
+              ],
+              "CreatedDate": "2024-01-01T00:00:00.000000"
+            }
+          ],
+          "Errors": []
+        }
+      JSON
+
+    json = JSON.parse(shellunescape(run_command("fetch", "--from", "secret", "KEY1", "KEY2", account: nil)))
+
+    expected_json = {
+      "secret/KEY1"=>"VALUE1",
+      "secret/KEY2"=>"VALUE2"
+    }
+    assert_equal expected_json, json
+  end
+
   private
-    def run_command(*command)
+    def run_command(*command, account: "default")
       stdouted do
-        Kamal::Cli::Secrets.start \
-          [ *command,
-            "-c", "test/fixtures/deploy_with_accessories.yml",
-            "--adapter", "aws_secrets_manager",
-            "--account", "default" ]
+        args = [ *command,
+                "-c", "test/fixtures/deploy_with_accessories.yml",
+                "--adapter", "aws_secrets_manager" ]
+        args += [ "--account", account ] if account
+        Kamal::Cli::Secrets.start(args)
       end
     end
 end

From c7d1711e3099b956f704091290d275eedc296ba9 Mon Sep 17 00:00:00 2001
From: Neil Johari <neil@johari.tech>
Date: Sun, 2 Feb 2025 23:46:09 -0800
Subject: [PATCH 2/5] Remove unnecessary var

---
 lib/kamal/secrets/adapters/aws_secrets_manager.rb | 2 --
 1 file changed, 2 deletions(-)

diff --git a/lib/kamal/secrets/adapters/aws_secrets_manager.rb b/lib/kamal/secrets/adapters/aws_secrets_manager.rb
index bd81c754..82c46d91 100644
--- a/lib/kamal/secrets/adapters/aws_secrets_manager.rb
+++ b/lib/kamal/secrets/adapters/aws_secrets_manager.rb
@@ -23,8 +23,6 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba
     end
 
     def get_from_secrets_manager(secrets, account: nil)
-      profile_opt = account ? "--profile #{account.shellescape}" : ""
-
       args = [ "aws", "secretsmanager", "batch-get-secret-value", "--secret-id-list" ] + secrets.map(&:shellescape)
       args += [ "--profile", account.shellescape ] if account
       cmd = args.join(" ")

From ff3538f81ddc6c4850e9749a4e50249035f5f073 Mon Sep 17 00:00:00 2001
From: Neil Johari <neil@johari.tech>
Date: Sun, 2 Feb 2025 23:54:53 -0800
Subject: [PATCH 3/5] Undo accidental line deletion

---
 lib/kamal/secrets/adapters/aws_secrets_manager.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/kamal/secrets/adapters/aws_secrets_manager.rb b/lib/kamal/secrets/adapters/aws_secrets_manager.rb
index 82c46d91..fb3f887f 100644
--- a/lib/kamal/secrets/adapters/aws_secrets_manager.rb
+++ b/lib/kamal/secrets/adapters/aws_secrets_manager.rb
@@ -13,6 +13,7 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba
         get_from_secrets_manager(prefixed_secrets(secrets, from: from), account: account).each do |secret|
           secret_name = secret["Name"]
           secret_string = JSON.parse(secret["SecretString"])
+
           secret_string.each do |key, value|
             results["#{secret_name}/#{key}"] = value
           end

From e69611efb65bf2a4c455920e84b25f9f264348e6 Mon Sep 17 00:00:00 2001
From: Neil Johari <neil@johari.tech>
Date: Mon, 3 Feb 2025 08:56:06 -0800
Subject: [PATCH 4/5] Add final newline

---
 lib/kamal/secrets/adapters/aws_secrets_manager.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/kamal/secrets/adapters/aws_secrets_manager.rb b/lib/kamal/secrets/adapters/aws_secrets_manager.rb
index fb3f887f..1ed5089b 100644
--- a/lib/kamal/secrets/adapters/aws_secrets_manager.rb
+++ b/lib/kamal/secrets/adapters/aws_secrets_manager.rb
@@ -47,4 +47,5 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba
       `aws --version 2> /dev/null`
       $?.success?
     end
-end
\ No newline at end of file
+end
+

From 07d05ad58ad76bb855285d9650622b026db79e02 Mon Sep 17 00:00:00 2001
From: Neil Johari <neil@johari.tech>
Date: Mon, 3 Feb 2025 09:44:39 -0800
Subject: [PATCH 5/5] Run rubocop auto correct

---
 lib/kamal/secrets/adapters/aws_secrets_manager.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/kamal/secrets/adapters/aws_secrets_manager.rb b/lib/kamal/secrets/adapters/aws_secrets_manager.rb
index 1ed5089b..d37b4246 100644
--- a/lib/kamal/secrets/adapters/aws_secrets_manager.rb
+++ b/lib/kamal/secrets/adapters/aws_secrets_manager.rb
@@ -48,4 +48,3 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba
       $?.success?
     end
 end
-