-
Notifications
You must be signed in to change notification settings - Fork 488
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add secrets adapter for aws secrets manager #1141
feat: add secrets adapter for aws secrets manager #1141
Conversation
@@ -0,0 +1,25 @@ | |||
class Kamal::Secrets::Adapters::AwsSecretsmanager < Kamal::Secrets::Adapters::Base |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The official name is AWS Secrets Manager
, so let's call this AwsSecretsManager
(and rename the file to aws_secrets_manager.rb
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's funny, I went back and forth on the name but ultimately decided on one word because the AWS CLI calls it "secretsmanager" over "secrets-manager". I agree though, I like the two word version better and will get that changed.
class Kamal::Secrets::Adapters::AwsSecretsmanager < Kamal::Secrets::Adapters::Base | ||
private | ||
def login(_account) | ||
nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's no sensible default way to implement this is there? Would be nice if we could prompt for MFA from here if that was enabled, but we'd need to know all about the IAM setup for that to work I think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think there's just too many different ways to authenticate with AWS. I believe the preferred method is SSO using the aws sso login
command, but the user could also be authenticated with access keys, environment variables, automatically (if they're on an EC2 instance with an IAM Role), or even an external process.
One option would be to check if the user is authenticated with aws sts get-caller-identity
, and if that command returns an error, attempt to run aws sso login
. However, this could be confusing if they normally authenticate a different way, or even worse have aws cli v1 installed which doesn't include sso login.
What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes let's leave it for now. We could I guess add a separate SsoAwsSecretsManager
or something like that later.
@@ -0,0 +1,87 @@ | |||
require "test_helper" | |||
|
|||
class AwsSecretsmanagerAdapterTest < SecretAdapterTestCase |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we rename this too?
end | ||
|
||
def get_from_secrets_manager(secrets, account:) | ||
`aws secretsmanager batch-get-secret-value --secret-id-list #{secrets.map(&:shellescape).join(" ")} --profile #{account}`.tap do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's shell escape the account here as well 👍
@justindell - thanks for the PR! Just a few minor suggestions, then we can get this merged. |
Sorry one more thing - could we also implement the check_dependencies! method that was recently added to the base adapter. It should give a nice error message if the cli is not installed. |
Should be all set! Let me know if you see anything else |
@justindell Thanks for this addition just what I needed. However I found an issue when trying this out. I have some passwords containing
as you can see it is escaping the |
Could it be related to this? #1009 What happens if you try the |
here is output of
when running was able to fix it with a new method
|
This looks like an issue outside of the scope of the aws secrets manager. I just created passwords with both 1password and AWS Secrets Manager with a password value of "test(", and it looks like it isn't properly being extracted (although "test" works fine on both). Would you like to create an issue? |
I'll create a PR to fix this issue |
This add AWS Secrets Manager as a secrets adapter. It assumes the AWS CLI is installed and has access to secrets manager, so no login step is required. Instead, the
--account
option is used to select a profile name, which is typicallydefault
.Site documentation PR: documentation for aws secrets manager