Allow ommitting AWS account while fetching secrets

2025-02-02 23:43:51 -08:00
parent 5ddaa3810d
commit d710b5a22b
2 changed files with 51 additions and 11 deletions
--- a/lib/kamal/secrets/adapters/aws_secrets_manager.rb
+++ b/lib/kamal/secrets/adapters/aws_secrets_manager.rb
@@ -1,15 +1,18 @@
 class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Base
+  def requires_account?
+    false
+  end
+
  private
    def login(_account)
      nil
    end

-    def fetch_secrets(secrets, from:, account:, session:)
+    def fetch_secrets(secrets, from:, account: nil, session:)
      {}.tap do |results|
        get_from_secrets_manager(prefixed_secrets(secrets, from: from), account: account).each do |secret|
          secret_name = secret["Name"]
          secret_string = JSON.parse(secret["SecretString"])
-
          secret_string.each do |key, value|
            results["#{secret_name}/#{key}"] = value
          end
@@ -19,8 +22,14 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba
      end
    end

-    def get_from_secrets_manager(secrets, account:)
-      `aws secretsmanager batch-get-secret-value --secret-id-list #{secrets.map(&:shellescape).join(" ")} --profile #{account.shellescape}`.tap do |secrets|
+    def get_from_secrets_manager(secrets, account: nil)
+      profile_opt = account ? "--profile #{account.shellescape}" : ""
+
+      args = [ "aws", "secretsmanager", "batch-get-secret-value", "--secret-id-list" ] + secrets.map(&:shellescape)
+      args += [ "--profile", account.shellescape ] if account
+      cmd = args.join(" ")
+
+      `#{cmd}`.tap do |secrets|
        raise RuntimeError, "Could not read #{secrets} from AWS Secrets Manager" unless $?.success?

        secrets = JSON.parse(secrets)
--- a/test/secrets/aws_secrets_manager_adapter_test.rb
+++ b/test/secrets/aws_secrets_manager_adapter_test.rb
@@ -156,14 +156,45 @@ class AwsSecretsManagerAdapterTest < SecretAdapterTestCase
    assert_equal "AWS CLI is not installed", error.message
  end

+  test "fetch without account option omits --profile" do
+    stub_ticks.with("aws --version 2> /dev/null")
+    stub_ticks
+      .with("aws secretsmanager batch-get-secret-value --secret-id-list secret/KEY1 secret/KEY2")
+      .returns(<<~JSON)
+        {
+          "SecretValues": [
+            {
+              "ARN": "arn:aws:secretsmanager:us-east-1:aaaaaaaaaaaa:secret:secret",
+              "Name": "secret",
+              "VersionId": "vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv",
+              "SecretString": "{\\"KEY1\\":\\"VALUE1\\", \\"KEY2\\":\\"VALUE2\\"}",
+              "VersionStages": [
+                  "AWSCURRENT"
+              ],
+              "CreatedDate": "2024-01-01T00:00:00.000000"
+            }
+          ],
+          "Errors": []
+        }
+      JSON
+
+    json = JSON.parse(shellunescape(run_command("fetch", "--from", "secret", "KEY1", "KEY2", account: nil)))
+
+    expected_json = {
+      "secret/KEY1"=>"VALUE1",
+      "secret/KEY2"=>"VALUE2"
+    }
+    assert_equal expected_json, json
+  end
+
  private
-    def run_command(*command)
+    def run_command(*command, account: "default")
      stdouted do
-        Kamal::Cli::Secrets.start \
-          [ *command,
+        args = [ *command,
                "-c", "test/fixtures/deploy_with_accessories.yml",
-            "--adapter", "aws_secrets_manager",
-            "--account", "default" ]
+                "--adapter", "aws_secrets_manager" ]
+        args += [ "--account", account ] if account
+        Kamal::Cli::Secrets.start(args)
      end
    end
 end