Allow ommitting AWS account while fetching secrets
This commit is contained in:
@@ -1,15 +1,18 @@
|
||||
class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Base
|
||||
def requires_account?
|
||||
false
|
||||
end
|
||||
|
||||
private
|
||||
def login(_account)
|
||||
nil
|
||||
end
|
||||
|
||||
def fetch_secrets(secrets, from:, account:, session:)
|
||||
def fetch_secrets(secrets, from:, account: nil, session:)
|
||||
{}.tap do |results|
|
||||
get_from_secrets_manager(prefixed_secrets(secrets, from: from), account: account).each do |secret|
|
||||
secret_name = secret["Name"]
|
||||
secret_string = JSON.parse(secret["SecretString"])
|
||||
|
||||
secret_string.each do |key, value|
|
||||
results["#{secret_name}/#{key}"] = value
|
||||
end
|
||||
@@ -19,8 +22,14 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba
|
||||
end
|
||||
end
|
||||
|
||||
def get_from_secrets_manager(secrets, account:)
|
||||
`aws secretsmanager batch-get-secret-value --secret-id-list #{secrets.map(&:shellescape).join(" ")} --profile #{account.shellescape}`.tap do |secrets|
|
||||
def get_from_secrets_manager(secrets, account: nil)
|
||||
profile_opt = account ? "--profile #{account.shellescape}" : ""
|
||||
|
||||
args = [ "aws", "secretsmanager", "batch-get-secret-value", "--secret-id-list" ] + secrets.map(&:shellescape)
|
||||
args += [ "--profile", account.shellescape ] if account
|
||||
cmd = args.join(" ")
|
||||
|
||||
`#{cmd}`.tap do |secrets|
|
||||
raise RuntimeError, "Could not read #{secrets} from AWS Secrets Manager" unless $?.success?
|
||||
|
||||
secrets = JSON.parse(secrets)
|
||||
@@ -39,4 +48,4 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba
|
||||
`aws --version 2> /dev/null`
|
||||
$?.success?
|
||||
end
|
||||
end
|
||||
end
|
||||
Reference in New Issue
Block a user