From e4641773499192f7ba0b0b8c27706540a37fa78e Mon Sep 17 00:00:00 2001
From: Nick Hammond <nick@nickhammond.com>
Date: Thu, 12 Dec 2024 04:58:53 -0700
Subject: [PATCH] Check for errors from AWS secrets manager

---
 .../secrets/adapters/aws_secrets_manager.rb   | 14 ++++++++---
 .../aws_secrets_manager_adapter_test.rb       | 24 +++++++++++++++++++
 2 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/lib/kamal/secrets/adapters/aws_secrets_manager.rb b/lib/kamal/secrets/adapters/aws_secrets_manager.rb
index 5db8fd7c..e3f54687 100644
--- a/lib/kamal/secrets/adapters/aws_secrets_manager.rb
+++ b/lib/kamal/secrets/adapters/aws_secrets_manager.rb
@@ -6,7 +6,15 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba
 
     def fetch_secrets(secrets, account:, session:)
       {}.tap do |results|
-        JSON.parse(get_from_secrets_manager(secrets, account: account))["SecretValues"].each do |secret|
+        secrets = JSON.parse(get_from_secrets_manager(secrets, account: account))
+
+        if secrets["Errors"].present?
+          first_error = secrets["Errors"].first
+
+          raise RuntimeError, "#{first_error['SecretId']}: #{first_error['Message']}"
+        end
+
+        secrets["SecretValues"].each do |secret|
           secret_name = secret["Name"]
           secret_string = JSON.parse(secret["SecretString"])
 
@@ -20,8 +28,8 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba
     end
 
     def get_from_secrets_manager(secrets, account:)
-      `aws secretsmanager batch-get-secret-value --secret-id-list #{secrets.map(&:shellescape).join(" ")} --profile #{account.shellescape}`.tap do
-        raise RuntimeError, "Could not read #{secret} from AWS Secrets Manager" unless $?.success?
+      `aws secretsmanager batch-get-secret-value --secret-id-list #{secrets.map(&:shellescape).join(" ")} --profile #{account.shellescape}`.tap do |secrets|
+        raise RuntimeError, "Could not read #{secrets} from AWS Secrets Manager" unless $?.success?
       end
     end
 
diff --git a/test/secrets/aws_secrets_manager_adapter_test.rb b/test/secrets/aws_secrets_manager_adapter_test.rb
index 3fbfe3e9..5873731e 100644
--- a/test/secrets/aws_secrets_manager_adapter_test.rb
+++ b/test/secrets/aws_secrets_manager_adapter_test.rb
@@ -1,6 +1,30 @@
 require "test_helper"
 
 class AwsSecretsManagerAdapterTest < SecretAdapterTestCase
+  test "fails when errors are present" do
+    stub_ticks.with("aws --version 2> /dev/null")
+    stub_ticks
+      .with("aws secretsmanager batch-get-secret-value --secret-id-list unknown-secret-id --profile default")
+      .returns(<<~JSON)
+        {
+          "SecretValues": [],
+          "Errors": [
+            {
+                "SecretId": "unknown-secret-id",
+                "ErrorCode": "ResourceNotFoundException",
+                "Message": "Secrets Manager can't find the specified secret."
+            }
+          ]
+        }
+      JSON
+
+    error = assert_raises RuntimeError do
+      JSON.parse(shellunescape(run_command("fetch", "unknown-secret-id")))
+    end
+
+    assert_equal "unknown-secret-id: Secrets Manager can't find the specified secret.", error.message
+  end
+
   test "fetch" do
     stub_ticks.with("aws --version 2> /dev/null")
     stub_ticks