diff --git a/lib/kamal/secrets/adapters/aws_secrets_manager.rb b/lib/kamal/secrets/adapters/aws_secrets_manager.rb index 48add1ac..bd81c754 100644 --- a/lib/kamal/secrets/adapters/aws_secrets_manager.rb +++ b/lib/kamal/secrets/adapters/aws_secrets_manager.rb @@ -1,15 +1,18 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Base + def requires_account? + false + end + private def login(_account) nil end - def fetch_secrets(secrets, from:, account:, session:) + def fetch_secrets(secrets, from:, account: nil, session:) {}.tap do |results| get_from_secrets_manager(prefixed_secrets(secrets, from: from), account: account).each do |secret| secret_name = secret["Name"] secret_string = JSON.parse(secret["SecretString"]) - secret_string.each do |key, value| results["#{secret_name}/#{key}"] = value end @@ -19,8 +22,14 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba end end - def get_from_secrets_manager(secrets, account:) - `aws secretsmanager batch-get-secret-value --secret-id-list #{secrets.map(&:shellescape).join(" ")} --profile #{account.shellescape}`.tap do |secrets| + def get_from_secrets_manager(secrets, account: nil) + profile_opt = account ? "--profile #{account.shellescape}" : "" + + args = [ "aws", "secretsmanager", "batch-get-secret-value", "--secret-id-list" ] + secrets.map(&:shellescape) + args += [ "--profile", account.shellescape ] if account + cmd = args.join(" ") + + `#{cmd}`.tap do |secrets| raise RuntimeError, "Could not read #{secrets} from AWS Secrets Manager" unless $?.success? secrets = JSON.parse(secrets) @@ -39,4 +48,4 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba `aws --version 2> /dev/null` $?.success? end -end +end \ No newline at end of file diff --git a/test/secrets/aws_secrets_manager_adapter_test.rb b/test/secrets/aws_secrets_manager_adapter_test.rb index 7616342d..00f3de08 100644 --- a/test/secrets/aws_secrets_manager_adapter_test.rb +++ b/test/secrets/aws_secrets_manager_adapter_test.rb @@ -156,14 +156,45 @@ class AwsSecretsManagerAdapterTest < SecretAdapterTestCase assert_equal "AWS CLI is not installed", error.message end + test "fetch without account option omits --profile" do + stub_ticks.with("aws --version 2> /dev/null") + stub_ticks + .with("aws secretsmanager batch-get-secret-value --secret-id-list secret/KEY1 secret/KEY2") + .returns(<<~JSON) + { + "SecretValues": [ + { + "ARN": "arn:aws:secretsmanager:us-east-1:aaaaaaaaaaaa:secret:secret", + "Name": "secret", + "VersionId": "vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv", + "SecretString": "{\\"KEY1\\":\\"VALUE1\\", \\"KEY2\\":\\"VALUE2\\"}", + "VersionStages": [ + "AWSCURRENT" + ], + "CreatedDate": "2024-01-01T00:00:00.000000" + } + ], + "Errors": [] + } + JSON + + json = JSON.parse(shellunescape(run_command("fetch", "--from", "secret", "KEY1", "KEY2", account: nil))) + + expected_json = { + "secret/KEY1"=>"VALUE1", + "secret/KEY2"=>"VALUE2" + } + assert_equal expected_json, json + end + private - def run_command(*command) + def run_command(*command, account: "default") stdouted do - Kamal::Cli::Secrets.start \ - [ *command, - "-c", "test/fixtures/deploy_with_accessories.yml", - "--adapter", "aws_secrets_manager", - "--account", "default" ] + args = [ *command, + "-c", "test/fixtures/deploy_with_accessories.yml", + "--adapter", "aws_secrets_manager" ] + args += [ "--account", account ] if account + Kamal::Cli::Secrets.start(args) end end end