Implement support for AWS SecretsManager#4
Conversation
|
It seems the tests are failing because of |
|
@mnapoli this was a legit error, the SecretsManagerClient shouldn't not be called in the failing test. The issue was triggered by of a contengency between tests because we're using |
|
@mnapoli I've pushed a last fix for You can see this in their changelog, it fixes the issues with constants: https://github.com/symfony/polyfill/blob/1.x/CHANGELOG.md#1131 |
|
@natepage nice work 😊 Do you already use it? I assume it also needs some adjustments here: |
| if ($e->getCode() === 400) { | ||
| // Extra descriptive error message for the most common error | ||
| throw new RuntimeException( | ||
| "Bref was not able to resolve secrets contained in environment variables from SecretsManager because of a permissions issue with the SecretsManager API. Did you add IAM permissions in serverless.yml to allow Lambda to access SecretsManager? (docs: https://bref.sh/docs/environment/variables.html#at-deployment-time).\nFull exception message: {$e->getMessage()}", |
There was a problem hiding this comment.
It would be cool to try to get all the secret values first and afterwards throw the error (including indicating which secrets have failed).
There was a problem hiding this comment.
In case of a permission issue it's more likely that permissions are not good for all secrets. If not, that's not a common case, I'm fine keeping it simple honestly (easier to maintain).
|
I don't use SecretsManager and I have one hesitation before merging this: isn't it more common to store multiple variables in 1 SecretManager entry? That's a pattern I've seen multiple times, and I think it's caused by the fact that SecretManager deals well with JSON values (so multiple values in 1 secret) and that secrets are expensive (by the unit). It also means 1 HTTP call (faster and cheaper) to retrieve all values. For example, that's how secrets are stored for AWS services: https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_secret_json_structure.html |
Are you referring to this PR or #7? This PR indeed assumes that all secrets are in JSON format but actually you can also just store simple strings and it would fail then. This is how this PR works: Secrets: serverless.yml: provider:
environment:
DB_CONNECTION: bref-secretsmanager:DB_CONNECTIONExpands to these environment variables: However, I think it should simply expand to the actual value (see #7) and the rest is up to the application to parse it properly: It's unopinionated and would work exactly the same like the |
|
Hey there, sorry I missed the party 😄 @mnapoli agree with you here, all projects I worked on using AWS SecretsManager are storing multiple variables in a single secret. What about introducing some kind of processor, similar to what Symfony does with their env variables?
I'm happy to push changes to support this if sounds good to you! |
|
The changes to add a |
|
Hey there, Happy New Year! A gentle follow up on this one as we would to be able to use this in our projects 😄 |
| "async-aws/ssm": "^1.3" | ||
| }, | ||
| "require-dev": { | ||
| "async-aws/secrets-manager": "^1.0", |
There was a problem hiding this comment.
Is it OK to put this in the require-dev instead of in the require section?
There was a problem hiding this comment.
@f-lombardo my thinking was people don't need this dependency unless they are working with secrets manager, and because ssm is the default implementation of this library it's most likely to be the only use in a majority of cases. But I do not have strong opinions about it 😄
There was a problem hiding this comment.
IMHO since async-aws/ssm is in the require section, the same should hold for async-aws/secrets-manager
Hello @natepage, since I also had to use some new features in a few projects, I created a small fork of this one: https://github.com/f-lombardo/secrets-loader If you want, you could submit a PR to my repo too. I'll take care of mantaining my project aligned with the original one |
I've implemented something similar here: |
|
Hi @mnapoli 👋 Hope you're well, I would like to follow up on this as we're very interested in the functionality 😄 |
5 participants
Hi there 👋
secrets-loaderis great, easy to setup, and works beautifuly with AWS SSM.However, most of our projects work with both SSM and SecretsManager,
This PR allows people to use natively use secrets from SecretsManager with Bref.