increase or parameterise LIST_SECRETS_MAX_RESULTS

[davidrichardsonleit]

Hi all.

Are there any issues with either:

• increasing LIST_SECRETS_MAX_RESULTS to 1_000
• parameterising LIST_SECRETS_MAX_RESULTS

I have a need to fetch low thousands of passwords for the creation of new database users.

The creation of the users is managed in a CICD pipeline that is a separate concern from the creation of the secret (for security reasons).

What are your thoughts?

[jirkafajfr]

Hi,

the ListSecrets API has limit of 100 elements per page. This github action doesn't support paging and only first page is returned as of today. We will look into this on our next planning session.

I wanted to call out that secrets are exported as environment variables that eventually needs to be passed as arguments when the new process forks. The size of the ARG_MAX value depends on the OS (you can find out by calling getconf ARG_MAX). The github shared linux runners seems to support up to 4MB as of today, but people could be using older self hosted runners that are limited to 128KB. It means roughly 3K secrets, assuming that the name + value is roughly 40 characters on average. We would not go close to these limits. If your use-case ever grows close to these numbers you should consider leveraging the SecretsManager API directly to avoid limitations of github action.