Merge pull request #1292 from nickhammond/aws-secrets-manager-simple

Aws secrets manager simple strings and error checking
basecamp · Dec 13, 2024 · d9c2553 · d9c2553
2 parents d5ec0e6 + 725da6a
commit d9c2553
Show file tree

Hide file tree

Showing 2 changed files with 82 additions and 3 deletions.
diff --git a/lib/kamal/secrets/adapters/aws_secrets_manager.rb b/lib/kamal/secrets/adapters/aws_secrets_manager.rb
@@ -6,20 +6,28 @@ def login(_account)
 
     def fetch_secrets(secrets, account:, session:)
       {}.tap do |results|
-        JSON.parse(get_from_secrets_manager(secrets, account: account))["SecretValues"].each do |secret|
+        get_from_secrets_manager(secrets, account: account).each do |secret|
           secret_name = secret["Name"]
           secret_string = JSON.parse(secret["SecretString"])
 
           secret_string.each do |key, value|
             results["#{secret_name}/#{key}"] = value
           end
+        rescue JSON::ParserError
+          results["#{secret_name}"] = secret["SecretString"]
         end
       end
     end
 
     def get_from_secrets_manager(secrets, account:)
-      `aws secretsmanager batch-get-secret-value --secret-id-list #{secrets.map(&:shellescape).join(" ")} --profile #{account.shellescape}`.tap do
-        raise RuntimeError, "Could not read #{secret} from AWS Secrets Manager" unless $?.success?
+      `aws secretsmanager batch-get-secret-value --secret-id-list #{secrets.map(&:shellescape).join(" ")} --profile #{account.shellescape}`.tap do |secrets|
+        raise RuntimeError, "Could not read #{secrets} from AWS Secrets Manager" unless $?.success?
+
+        secrets = JSON.parse(secrets)
+
+        return secrets["SecretValues"] unless secrets["Errors"].present?
+
+        raise RuntimeError, secrets["Errors"].map { |error| "#{error['SecretId']}: #{error['Message']}" }.join(" ")
       end
     end
 

diff --git a/test/secrets/aws_secrets_manager_adapter_test.rb b/test/secrets/aws_secrets_manager_adapter_test.rb
@@ -1,6 +1,35 @@
 require "test_helper"
 
 class AwsSecretsManagerAdapterTest < SecretAdapterTestCase
+  test "fails when errors are present" do
+    stub_ticks.with("aws --version 2> /dev/null")
+    stub_ticks
+      .with("aws secretsmanager batch-get-secret-value --secret-id-list unknown1 unknown2 --profile default")
+      .returns(<<~JSON)
+        {
+          "SecretValues": [],
+          "Errors": [
+            {
+                "SecretId": "unknown1",
+                "ErrorCode": "ResourceNotFoundException",
+                "Message": "Secrets Manager can't find the specified secret."
+            },
+            {
+                "SecretId": "unknown2",
+                "ErrorCode": "ResourceNotFoundException",
+                "Message": "Secrets Manager can't find the specified secret."
+            }
+          ]
+        }
+      JSON
+
+    error = assert_raises RuntimeError do
+      JSON.parse(shellunescape(run_command("fetch", "unknown1", "unknown2")))
+    end
+
+    assert_equal [ "unknown1: Secrets Manager can't find the specified secret.", "unknown2: Secrets Manager can't find the specified secret." ].join(" "), error.message
+  end
+
   test "fetch" do
     stub_ticks.with("aws --version 2> /dev/null")
     stub_ticks
@@ -44,6 +73,48 @@ class AwsSecretsManagerAdapterTest < SecretAdapterTestCase
     assert_equal expected_json, json
   end
 
+  test "fetch with string value" do
+    stub_ticks.with("aws --version 2> /dev/null")
+    stub_ticks
+      .with("aws secretsmanager batch-get-secret-value --secret-id-list secret secret2/KEY1 --profile default")
+      .returns(<<~JSON)
+        {
+          "SecretValues": [
+            {
+              "ARN": "arn:aws:secretsmanager:us-east-1:aaaaaaaaaaaa:secret:secret",
+              "Name": "secret",
+              "VersionId": "vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv",
+              "SecretString": "a-string-secret",
+              "VersionStages": [
+                  "AWSCURRENT"
+              ],
+              "CreatedDate": "2024-01-01T00:00:00.000000"
+            },
+            {
+              "ARN": "arn:aws:secretsmanager:us-east-1:aaaaaaaaaaaa:secret:secret2",
+              "Name": "secret2",
+              "VersionId": "vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv",
+              "SecretString": "{\\"KEY2\\":\\"VALUE2\\"}",
+              "VersionStages": [
+                  "AWSCURRENT"
+              ],
+              "CreatedDate": "2024-01-01T00:00:00.000000"
+            }
+          ],
+          "Errors": []
+        }
+      JSON
+
+    json = JSON.parse(shellunescape(run_command("fetch", "secret", "secret2/KEY1")))
+
+    expected_json = {
+      "secret"=>"a-string-secret",
+      "secret2/KEY2"=>"VALUE2"
+    }
+
+    assert_equal expected_json, json
+  end
+
   test "fetch with secret names" do
     stub_ticks.with("aws --version 2> /dev/null")
     stub_ticks