Merge pull request #1392 from neiljohari/feature/allow-omitting-aws-account

Allow omitting AWS account parameter while fetching secrets

lib/kamal/secrets/adapters/aws_secrets_manager.rb

@@ -1,10 +1,14 @@
 class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Base
+  def requires_account?
+    false
+  end
+
   private
     def login(_account)
       nil
     end
 
-    def fetch_secrets(secrets, from:, account:, session:)
+    def fetch_secrets(secrets, from:, account: nil, session:)
       {}.tap do |results|
         get_from_secrets_manager(prefixed_secrets(secrets, from: from), account: account).each do |secret|
           secret_name = secret["Name"]
@@ -19,8 +23,12 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba
       end
     end
 
-    def get_from_secrets_manager(secrets, account:)
+    def get_from_secrets_manager(secrets, account: nil)
-      `aws secretsmanager batch-get-secret-value --secret-id-list #{secrets.map(&:shellescape).join(" ")} --profile #{account.shellescape}`.tap do |secrets|
+      args = [ "aws", "secretsmanager", "batch-get-secret-value", "--secret-id-list" ] + secrets.map(&:shellescape)
+      args += [ "--profile", account.shellescape ] if account
+      cmd = args.join(" ")
+
+      `#{cmd}`.tap do |secrets|
         raise RuntimeError, "Could not read #{secrets} from AWS Secrets Manager" unless $?.success?
 
         secrets = JSON.parse(secrets)

test/secrets/aws_secrets_manager_adapter_test.rb

@@ -156,14 +156,45 @@ class AwsSecretsManagerAdapterTest < SecretAdapterTestCase
     assert_equal "AWS CLI is not installed", error.message
   end
 
+  test "fetch without account option omits --profile" do
+    stub_ticks.with("aws --version 2> /dev/null")
+    stub_ticks
+      .with("aws secretsmanager batch-get-secret-value --secret-id-list secret/KEY1 secret/KEY2")
+      .returns(<<~JSON)
+        {
+          "SecretValues": [
+            {
+              "ARN": "arn:aws:secretsmanager:us-east-1:aaaaaaaaaaaa:secret:secret",
+              "Name": "secret",
+              "VersionId": "vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv",
+              "SecretString": "{\\"KEY1\\":\\"VALUE1\\", \\"KEY2\\":\\"VALUE2\\"}",
+              "VersionStages": [
+                  "AWSCURRENT"
+              ],
+              "CreatedDate": "2024-01-01T00:00:00.000000"
+            }
+          ],
+          "Errors": []
+        }
+      JSON
+
+    json = JSON.parse(shellunescape(run_command("fetch", "--from", "secret", "KEY1", "KEY2", account: nil)))
+
+    expected_json = {
+      "secret/KEY1"=>"VALUE1",
+      "secret/KEY2"=>"VALUE2"
+    }
+    assert_equal expected_json, json
+  end
+
   private
-    def run_command(*command)
+    def run_command(*command, account: "default")
       stdouted do
-        Kamal::Cli::Secrets.start \
+        args = [ *command,
-          [ *command,
+                "-c", "test/fixtures/deploy_with_accessories.yml",
-            "-c", "test/fixtures/deploy_with_accessories.yml",
+                "--adapter", "aws_secrets_manager" ]
-            "--adapter", "aws_secrets_manager",
+        args += [ "--account", account ] if account
-            "--account", "default" ]
+        Kamal::Cli::Secrets.start(args)
       end
     end
 end