feat: add secrets adapter for aws secrets manager #1141
Conversation
| @@ -0,0 +1,25 @@ | |||
| class Kamal::Secrets::Adapters::AwsSecretsmanager < Kamal::Secrets::Adapters::Base | |||
There was a problem hiding this comment.
The official name is AWS Secrets Manager, so let's call this AwsSecretsManager (and rename the file to aws_secrets_manager.rb
There was a problem hiding this comment.
It's funny, I went back and forth on the name but ultimately decided on one word because the AWS CLI calls it "secretsmanager" over "secrets-manager". I agree though, I like the two word version better and will get that changed.
| class Kamal::Secrets::Adapters::AwsSecretsmanager < Kamal::Secrets::Adapters::Base | ||
| private | ||
| def login(_account) | ||
| nil |
There was a problem hiding this comment.
There's no sensible default way to implement this is there? Would be nice if we could prompt for MFA from here if that was enabled, but we'd need to know all about the IAM setup for that to work I think.
There was a problem hiding this comment.
I think there's just too many different ways to authenticate with AWS. I believe the preferred method is SSO using the aws sso login command, but the user could also be authenticated with access keys, environment variables, automatically (if they're on an EC2 instance with an IAM Role), or even an external process.
One option would be to check if the user is authenticated with aws sts get-caller-identity, and if that command returns an error, attempt to run aws sso login. However, this could be confusing if they normally authenticate a different way, or even worse have aws cli v1 installed which doesn't include sso login.
What do you think?
There was a problem hiding this comment.
Yes let's leave it for now. We could I guess add a separate SsoAwsSecretsManager or something like that later.
| @@ -0,0 +1,87 @@ | |||
| require "test_helper" | |||
|
|
|||
| class AwsSecretsmanagerAdapterTest < SecretAdapterTestCase | |||
| end | ||
|
|
||
| def get_from_secrets_manager(secrets, account:) | ||
| `aws secretsmanager batch-get-secret-value --secret-id-list #{secrets.map(&:shellescape).join(" ")} --profile #{account}`.tap do |
There was a problem hiding this comment.
Let's shell escape the account here as well 👍
|
@justindell - thanks for the PR! Just a few minor suggestions, then we can get this merged. |
|
Sorry one more thing - could we also implement the check_dependencies! method that was recently added to the base adapter. It should give a nice error message if the cli is not installed. |
|
Should be all set! Let me know if you see anything else |
This add AWS Secrets Manager as a secrets adapter. It assumes the AWS CLI is installed and has access to secrets manager, so no login step is required. Instead, the
--accountoption is used to select a profile name, which is typicallydefault.Site documentation PR: documentation for aws secrets manager