Merge pull request #1292 from nickhammond/aws-secrets-manager-simple
Aws secrets manager simple strings and error checking
This commit is contained in:
Donal McBreen
@@ -6,20 +6,28 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba
|
|||||||
|
|
||||||
def fetch_secrets(secrets, account:, session:)
|
def fetch_secrets(secrets, account:, session:)
|
||||||
{}.tap do |results|
|
{}.tap do |results|
|
||||||
JSON.parse(get_from_secrets_manager(secrets, account: account))["SecretValues"].each do |secret|
|
get_from_secrets_manager(secrets, account: account).each do |secret|
|
||||||
secret_name = secret["Name"]
|
secret_name = secret["Name"]
|
||||||
secret_string = JSON.parse(secret["SecretString"])
|
secret_string = JSON.parse(secret["SecretString"])
|
||||||
|
|
||||||
secret_string.each do |key, value|
|
secret_string.each do |key, value|
|
||||||
results["#{secret_name}/#{key}"] = value
|
results["#{secret_name}/#{key}"] = value
|
||||||
end
|
end
|
||||||
|
rescue JSON::ParserError
|
||||||
|
results["#{secret_name}"] = secret["SecretString"]
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def get_from_secrets_manager(secrets, account:)
|
def get_from_secrets_manager(secrets, account:)
|
||||||
`aws secretsmanager batch-get-secret-value --secret-id-list #{secrets.map(&:shellescape).join(" ")} --profile #{account.shellescape}`.tap do
|
`aws secretsmanager batch-get-secret-value --secret-id-list #{secrets.map(&:shellescape).join(" ")} --profile #{account.shellescape}`.tap do |secrets|
|
||||||
raise RuntimeError, "Could not read #{secret} from AWS Secrets Manager" unless $?.success?
|
raise RuntimeError, "Could not read #{secrets} from AWS Secrets Manager" unless $?.success?
|
||||||
|
|
||||||
|
secrets = JSON.parse(secrets)
|
||||||
|
|
||||||
|
return secrets["SecretValues"] unless secrets["Errors"].present?
|
||||||
|
|
||||||
|
raise RuntimeError, secrets["Errors"].map { |error| "#{error['SecretId']}: #{error['Message']}" }.join(" ")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|||||||
@@ -1,6 +1,35 @@
|
|||||||
require "test_helper"
|
require "test_helper"
|
||||||
|
|
||||||
class AwsSecretsManagerAdapterTest < SecretAdapterTestCase
|
class AwsSecretsManagerAdapterTest < SecretAdapterTestCase
|
||||||
|
test "fails when errors are present" do
|
||||||
|
stub_ticks.with("aws --version 2> /dev/null")
|
||||||
|
stub_ticks
|
||||||
|
.with("aws secretsmanager batch-get-secret-value --secret-id-list unknown1 unknown2 --profile default")
|
||||||
|
.returns(<<~JSON)
|
||||||
|
{
|
||||||
|
"SecretValues": [],
|
||||||
|
"Errors": [
|
||||||
|
{
|
||||||
|
"SecretId": "unknown1",
|
||||||
|
"ErrorCode": "ResourceNotFoundException",
|
||||||
|
"Message": "Secrets Manager can't find the specified secret."
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"SecretId": "unknown2",
|
||||||
|
"ErrorCode": "ResourceNotFoundException",
|
||||||
|
"Message": "Secrets Manager can't find the specified secret."
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
JSON
|
||||||
|
|
||||||
|
error = assert_raises RuntimeError do
|
||||||
|
JSON.parse(shellunescape(run_command("fetch", "unknown1", "unknown2")))
|
||||||
|
end
|
||||||
|
|
||||||
|
assert_equal [ "unknown1: Secrets Manager can't find the specified secret.", "unknown2: Secrets Manager can't find the specified secret." ].join(" "), error.message
|
||||||
|
end
|
||||||
|
|
||||||
test "fetch" do
|
test "fetch" do
|
||||||
stub_ticks.with("aws --version 2> /dev/null")
|
stub_ticks.with("aws --version 2> /dev/null")
|
||||||
stub_ticks
|
stub_ticks
|
||||||
@@ -44,6 +73,48 @@ class AwsSecretsManagerAdapterTest < SecretAdapterTestCase
|
|||||||
assert_equal expected_json, json
|
assert_equal expected_json, json
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "fetch with string value" do
|
||||||
|
stub_ticks.with("aws --version 2> /dev/null")
|
||||||
|
stub_ticks
|
||||||
|
.with("aws secretsmanager batch-get-secret-value --secret-id-list secret secret2/KEY1 --profile default")
|
||||||
|
.returns(<<~JSON)
|
||||||
|
{
|
||||||
|
"SecretValues": [
|
||||||
|
{
|
||||||
|
"ARN": "arn:aws:secretsmanager:us-east-1:aaaaaaaaaaaa:secret:secret",
|
||||||
|
"Name": "secret",
|
||||||
|
"VersionId": "vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv",
|
||||||
|
"SecretString": "a-string-secret",
|
||||||
|
"VersionStages": [
|
||||||
|
"AWSCURRENT"
|
||||||
|
],
|
||||||
|
"CreatedDate": "2024-01-01T00:00:00.000000"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ARN": "arn:aws:secretsmanager:us-east-1:aaaaaaaaaaaa:secret:secret2",
|
||||||
|
"Name": "secret2",
|
||||||
|
"VersionId": "vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv",
|
||||||
|
"SecretString": "{\\"KEY2\\":\\"VALUE2\\"}",
|
||||||
|
"VersionStages": [
|
||||||
|
"AWSCURRENT"
|
||||||
|
],
|
||||||
|
"CreatedDate": "2024-01-01T00:00:00.000000"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"Errors": []
|
||||||
|
}
|
||||||
|
JSON
|
||||||
|
|
||||||
|
json = JSON.parse(shellunescape(run_command("fetch", "secret", "secret2/KEY1")))
|
||||||
|
|
||||||
|
expected_json = {
|
||||||
|
"secret"=>"a-string-secret",
|
||||||
|
"secret2/KEY2"=>"VALUE2"
|
||||||
|
}
|
||||||
|
|
||||||
|
assert_equal expected_json, json
|
||||||
|
end
|
||||||
|
|
||||||
test "fetch with secret names" do
|
test "fetch with secret names" do
|
||||||
stub_ticks.with("aws --version 2> /dev/null")
|
stub_ticks.with("aws --version 2> /dev/null")
|
||||||
stub_ticks
|
stub_ticks
|
||||||
|
|||||||
Reference in New Issue
Block a user