Check for errors from AWS secrets manager
This commit is contained in:
Nick Hammond
@@ -6,7 +6,15 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba
|
|||||||
|
|
||||||
def fetch_secrets(secrets, account:, session:)
|
def fetch_secrets(secrets, account:, session:)
|
||||||
{}.tap do |results|
|
{}.tap do |results|
|
||||||
JSON.parse(get_from_secrets_manager(secrets, account: account))["SecretValues"].each do |secret|
|
secrets = JSON.parse(get_from_secrets_manager(secrets, account: account))
|
||||||
|
|
||||||
|
if secrets["Errors"].present?
|
||||||
|
first_error = secrets["Errors"].first
|
||||||
|
|
||||||
|
raise RuntimeError, "#{first_error['SecretId']}: #{first_error['Message']}"
|
||||||
|
end
|
||||||
|
|
||||||
|
secrets["SecretValues"].each do |secret|
|
||||||
secret_name = secret["Name"]
|
secret_name = secret["Name"]
|
||||||
secret_string = JSON.parse(secret["SecretString"])
|
secret_string = JSON.parse(secret["SecretString"])
|
||||||
|
|
||||||
@@ -20,8 +28,8 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba
|
|||||||
end
|
end
|
||||||
|
|
||||||
def get_from_secrets_manager(secrets, account:)
|
def get_from_secrets_manager(secrets, account:)
|
||||||
`aws secretsmanager batch-get-secret-value --secret-id-list #{secrets.map(&:shellescape).join(" ")} --profile #{account.shellescape}`.tap do
|
`aws secretsmanager batch-get-secret-value --secret-id-list #{secrets.map(&:shellescape).join(" ")} --profile #{account.shellescape}`.tap do |secrets|
|
||||||
raise RuntimeError, "Could not read #{secret} from AWS Secrets Manager" unless $?.success?
|
raise RuntimeError, "Could not read #{secrets} from AWS Secrets Manager" unless $?.success?
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|||||||
@@ -1,6 +1,30 @@
|
|||||||
require "test_helper"
|
require "test_helper"
|
||||||
|
|
||||||
class AwsSecretsManagerAdapterTest < SecretAdapterTestCase
|
class AwsSecretsManagerAdapterTest < SecretAdapterTestCase
|
||||||
|
test "fails when errors are present" do
|
||||||
|
stub_ticks.with("aws --version 2> /dev/null")
|
||||||
|
stub_ticks
|
||||||
|
.with("aws secretsmanager batch-get-secret-value --secret-id-list unknown-secret-id --profile default")
|
||||||
|
.returns(<<~JSON)
|
||||||
|
{
|
||||||
|
"SecretValues": [],
|
||||||
|
"Errors": [
|
||||||
|
{
|
||||||
|
"SecretId": "unknown-secret-id",
|
||||||
|
"ErrorCode": "ResourceNotFoundException",
|
||||||
|
"Message": "Secrets Manager can't find the specified secret."
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
JSON
|
||||||
|
|
||||||
|
error = assert_raises RuntimeError do
|
||||||
|
JSON.parse(shellunescape(run_command("fetch", "unknown-secret-id")))
|
||||||
|
end
|
||||||
|
|
||||||
|
assert_equal "unknown-secret-id: Secrets Manager can't find the specified secret.", error.message
|
||||||
|
end
|
||||||
|
|
||||||
test "fetch" do
|
test "fetch" do
|
||||||
stub_ticks.with("aws --version 2> /dev/null")
|
stub_ticks.with("aws --version 2> /dev/null")
|
||||||
stub_ticks
|
stub_ticks
|
||||||
|
|||||||
Reference in New Issue
Block a user