packer-cn/template/interpolate/aws/secretsmanager/secretsmanager.go

// Package secretsmanager provide methods to get data from
// AWS Secret Manager
package secretsmanager

import (
	"encoding/json"
	"errors"
	"fmt"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/secretsmanager"
	"github.com/aws/aws-sdk-go/service/secretsmanager/secretsmanageriface"
)

// Client represents an AWS Secrets Manager client
type Client struct {
	config *AWSConfig
	api    secretsmanageriface.SecretsManagerAPI
}

// New creates an AWS Session Manager Client
func New(config *AWSConfig) *Client {
	c := &Client{
		config: config,
	}

	s := c.newSession(config)
	c.api = secretsmanager.New(s)
	return c
}

func (c *Client) newSession(config *AWSConfig) *session.Session {
	// Initialize config with error verbosity
	sessConfig := aws.NewConfig().WithCredentialsChainVerboseErrors(true)

	if config.Region != "" {
		sessConfig = sessConfig.WithRegion(config.Region)
	}

	opts := session.Options{
		SharedConfigState: session.SharedConfigEnable,
		Config:            *sessConfig,
	}

	return session.Must(session.NewSessionWithOptions(opts))
}

// GetSecret return an AWS Secret Manager secret
// in plain text from a given secret name
func (c *Client) GetSecret(spec *SecretSpec) (string, error) {
	params := &secretsmanager.GetSecretValueInput{
		SecretId:     aws.String(spec.Name),
		VersionStage: aws.String("AWSCURRENT"),
	}

	resp, err := c.api.GetSecretValue(params)
	if err != nil {
		return "", err
	}

	if resp.SecretString == nil {
		return "", errors.New("Secret is not string")
	}

	secret := SecretString{
		Name:         *resp.Name,
		SecretString: *resp.SecretString,
	}
	value, err := getSecretValue(&secret, spec)
	if err != nil {
		return "", err
	}

	return value, nil
}

func getSecretValue(s *SecretString, spec *SecretSpec) (string, error) {
	var secretValue map[string]string
	blob := []byte(s.SecretString)

	//For those plaintext secrets just return the value
	if json.Valid(blob) != true {
		return s.SecretString, nil
	}

	err := json.Unmarshal(blob, &secretValue)
	if err != nil {
		return "", err
	}

	// If key is not set and secret has multiple keys, return error
	if spec.Key == "" && len(secretValue) > 1 {
		return "", errors.New("Secret has multiple values and no key was set")
	}

	if spec.Key == "" {
		for _, v := range secretValue {
			return v, nil
		}
	}

	if v, ok := secretValue[spec.Key]; ok {
		return v, nil
	}

	return "", fmt.Errorf("No secret found for key %q", spec.Key)
}
Add support for specifying key to fetch from AWS Secrets Manager 2020-05-15 07:50:33 -04:00			`// Package secretsmanager provide methods to get data from`
			`// AWS Secret Manager`
			`package secretsmanager`

			`import (`
			`"encoding/json"`
			`"errors"`
integration/secretsmanager: Add support for AWS SharedConfig file (#9781) This changes updates the AWS Secrets manager session authentication logic to support reading the AWS configuration file for default credentials and region settings, if they are not provided via environment variables. * Modify error output a little to remove stutter "error ... : error ...` Results before change ``` unset AWS_REGION ⇶ ~/pkg/packer build amazon-ebs_secretsmanager_shell-local.json template: root:1:3: executing "root" at <aws_secretsmanager `packer/test/keys` `shell`>: error calling aws_secretsmanager: Error getting secret: MissingRegion: could not find region configuration ``` Results after change ``` unset AWS_REGION ⇶ ~/pkg/packer build amazon-ebs_secretsmanager_shell-local.json null: output will be in this color. ==> null: Running local shell script: /tmp/packer-shell721444992 null: powershell Build 'null' finished after 4 milliseconds 121 microseconds. ==> Wait completed after 4 milliseconds 192 microseconds ==> Builds finished. The artifacts of successful builds are: ``` 2020-08-18 10:51:48 -04:00			`"fmt"`
Add support for specifying key to fetch from AWS Secrets Manager 2020-05-15 07:50:33 -04:00
			`"github.com/aws/aws-sdk-go/aws"`
			`"github.com/aws/aws-sdk-go/aws/session"`
			`"github.com/aws/aws-sdk-go/service/secretsmanager"`
			`"github.com/aws/aws-sdk-go/service/secretsmanager/secretsmanageriface"`
			`)`

Fix corrections * Fix typos in comments. * Add documentation of how to use multiple keys with `aws_secretsmanager` function. * Move `Client` struct to `secretsmanager.go` file. 2020-05-18 06:44:24 -04:00			`// Client represents an AWS Secrets Manager client`
			`type Client struct {`
			`config *AWSConfig`
			`api secretsmanageriface.SecretsManagerAPI`
Add support for specifying key to fetch from AWS Secrets Manager 2020-05-15 07:50:33 -04:00			`}`

			`// New creates an AWS Session Manager Client`
			`func New(config AWSConfig) Client {`
			`c := &Client{`
			`config: config,`
			`}`

			`s := c.newSession(config)`
			`c.api = secretsmanager.New(s)`
			`return c`
			`}`

			`func (c Client) newSession(config AWSConfig) *session.Session {`
			`// Initialize config with error verbosity`
integration/secretsmanager: Add support for AWS SharedConfig file (#9781) This changes updates the AWS Secrets manager session authentication logic to support reading the AWS configuration file for default credentials and region settings, if they are not provided via environment variables. * Modify error output a little to remove stutter "error ... : error ...` Results before change ``` unset AWS_REGION ⇶ ~/pkg/packer build amazon-ebs_secretsmanager_shell-local.json template: root:1:3: executing "root" at <aws_secretsmanager `packer/test/keys` `shell`>: error calling aws_secretsmanager: Error getting secret: MissingRegion: could not find region configuration ``` Results after change ``` unset AWS_REGION ⇶ ~/pkg/packer build amazon-ebs_secretsmanager_shell-local.json null: output will be in this color. ==> null: Running local shell script: /tmp/packer-shell721444992 null: powershell Build 'null' finished after 4 milliseconds 121 microseconds. ==> Wait completed after 4 milliseconds 192 microseconds ==> Builds finished. The artifacts of successful builds are: ``` 2020-08-18 10:51:48 -04:00			`sessConfig := aws.NewConfig().WithCredentialsChainVerboseErrors(true)`
Add support for specifying key to fetch from AWS Secrets Manager 2020-05-15 07:50:33 -04:00
			`if config.Region != "" {`
integration/secretsmanager: Add support for AWS SharedConfig file (#9781) This changes updates the AWS Secrets manager session authentication logic to support reading the AWS configuration file for default credentials and region settings, if they are not provided via environment variables. * Modify error output a little to remove stutter "error ... : error ...` Results before change ``` unset AWS_REGION ⇶ ~/pkg/packer build amazon-ebs_secretsmanager_shell-local.json template: root:1:3: executing "root" at <aws_secretsmanager `packer/test/keys` `shell`>: error calling aws_secretsmanager: Error getting secret: MissingRegion: could not find region configuration ``` Results after change ``` unset AWS_REGION ⇶ ~/pkg/packer build amazon-ebs_secretsmanager_shell-local.json null: output will be in this color. ==> null: Running local shell script: /tmp/packer-shell721444992 null: powershell Build 'null' finished after 4 milliseconds 121 microseconds. ==> Wait completed after 4 milliseconds 192 microseconds ==> Builds finished. The artifacts of successful builds are: ``` 2020-08-18 10:51:48 -04:00			`sessConfig = sessConfig.WithRegion(config.Region)`
Add support for specifying key to fetch from AWS Secrets Manager 2020-05-15 07:50:33 -04:00			`}`

			`opts := session.Options{`
integration/secretsmanager: Add support for AWS SharedConfig file (#9781) This changes updates the AWS Secrets manager session authentication logic to support reading the AWS configuration file for default credentials and region settings, if they are not provided via environment variables. * Modify error output a little to remove stutter "error ... : error ...` Results before change ``` unset AWS_REGION ⇶ ~/pkg/packer build amazon-ebs_secretsmanager_shell-local.json template: root:1:3: executing "root" at <aws_secretsmanager `packer/test/keys` `shell`>: error calling aws_secretsmanager: Error getting secret: MissingRegion: could not find region configuration ``` Results after change ``` unset AWS_REGION ⇶ ~/pkg/packer build amazon-ebs_secretsmanager_shell-local.json null: output will be in this color. ==> null: Running local shell script: /tmp/packer-shell721444992 null: powershell Build 'null' finished after 4 milliseconds 121 microseconds. ==> Wait completed after 4 milliseconds 192 microseconds ==> Builds finished. The artifacts of successful builds are: ``` 2020-08-18 10:51:48 -04:00			`SharedConfigState: session.SharedConfigEnable,`
			`Config: *sessConfig,`
Add support for specifying key to fetch from AWS Secrets Manager 2020-05-15 07:50:33 -04:00			`}`

			`return session.Must(session.NewSessionWithOptions(opts))`
			`}`

			`// GetSecret return an AWS Secret Manager secret`
			`// in plain text from a given secret name`
			`func (c Client) GetSecret(spec SecretSpec) (string, error) {`
			`params := &secretsmanager.GetSecretValueInput{`
			`SecretId: aws.String(spec.Name),`
			`VersionStage: aws.String("AWSCURRENT"),`
			`}`

			`resp, err := c.api.GetSecretValue(params)`
			`if err != nil {`
			`return "", err`
			`}`

			`if resp.SecretString == nil {`
			`return "", errors.New("Secret is not string")`
			`}`

			`secret := SecretString{`
			`Name: *resp.Name,`
			`SecretString: *resp.SecretString,`
			`}`
			`value, err := getSecretValue(&secret, spec)`
			`if err != nil {`
			`return "", err`
			`}`

			`return value, nil`
			`}`

			`func getSecretValue(s SecretString, spec SecretSpec) (string, error) {`
			`var secretValue map[string]string`
			`blob := []byte(s.SecretString)`

integrations/secretsmanager: Add support for plaintext, non key/pair, secrets (#9773) 2020-08-17 07:41:21 -04:00			`//For those plaintext secrets just return the value`
			`if json.Valid(blob) != true {`
			`return s.SecretString, nil`
			`}`

Add support for specifying key to fetch from AWS Secrets Manager 2020-05-15 07:50:33 -04:00			`err := json.Unmarshal(blob, &secretValue)`
			`if err != nil {`
			`return "", err`
			`}`

Add error check Thrown an error if no key is given when secret has mutliple values 2020-05-23 09:02:16 -04:00			`// If key is not set and secret has multiple keys, return error`
			`if spec.Key == "" && len(secretValue) > 1 {`
			`return "", errors.New("Secret has multiple values and no key was set")`
			`}`

Add support for specifying key to fetch from AWS Secrets Manager 2020-05-15 07:50:33 -04:00			`if spec.Key == "" {`
			`for _, v := range secretValue {`
			`return v, nil`
			`}`
			`}`

			`if v, ok := secretValue[spec.Key]; ok {`
			`return v, nil`
			`}`

integration/secretsmanager: Add support for AWS SharedConfig file (#9781) This changes updates the AWS Secrets manager session authentication logic to support reading the AWS configuration file for default credentials and region settings, if they are not provided via environment variables. * Modify error output a little to remove stutter "error ... : error ...` Results before change ``` unset AWS_REGION ⇶ ~/pkg/packer build amazon-ebs_secretsmanager_shell-local.json template: root:1:3: executing "root" at <aws_secretsmanager `packer/test/keys` `shell`>: error calling aws_secretsmanager: Error getting secret: MissingRegion: could not find region configuration ``` Results after change ``` unset AWS_REGION ⇶ ~/pkg/packer build amazon-ebs_secretsmanager_shell-local.json null: output will be in this color. ==> null: Running local shell script: /tmp/packer-shell721444992 null: powershell Build 'null' finished after 4 milliseconds 121 microseconds. ==> Wait completed after 4 milliseconds 192 microseconds ==> Builds finished. The artifacts of successful builds are: ``` 2020-08-18 10:51:48 -04:00			`return "", fmt.Errorf("No secret found for key %q", spec.Key)`
Add support for specifying key to fetch from AWS Secrets Manager 2020-05-15 07:50:33 -04:00			`}`