feat: add secrets adapter for aws secrets manager

[justindell]

This add AWS Secrets Manager as a secrets adapter. It assumes the AWS CLI is installed and has access to secrets manager, so no login step is required. Instead, the --account option is used to select a profile name, which is typically default.

Site documentation PR: documentation for aws secrets manager

[djmb]

The official name is AWS Secrets Manager, so let's call this AwsSecretsManager (and rename the file to aws_secrets_manager.rb

[justindell]

It's funny, I went back and forth on the name but ultimately decided on one word because the AWS CLI calls it "secretsmanager" over "secrets-manager". I agree though, I like the two word version better and will get that changed.

[djmb]

There's no sensible default way to implement this is there? Would be nice if we could prompt for MFA from here if that was enabled, but we'd need to know all about the IAM setup for that to work I think.

[justindell]

I think there's just too many different ways to authenticate with AWS. I believe the preferred method is SSO using the aws sso login command, but the user could also be authenticated with access keys, environment variables, automatically (if they're on an EC2 instance with an IAM Role), or even an external process.

One option would be to check if the user is authenticated with aws sts get-caller-identity, and if that command returns an error, attempt to run aws sso login. However, this could be confusing if they normally authenticate a different way, or even worse have aws cli v1 installed which doesn't include sso login.

What do you think?

[djmb]

Yes let's leave it for now. We could I guess add a separate SsoAwsSecretsManager or something like that later.

[djmb]

Could we rename this too?

[djmb]

Let's shell escape the account here as well 👍

[djmb]

@justindell - thanks for the PR!

Just a few minor suggestions, then we can get this merged.

[djmb]

Sorry one more thing - could we also implement the check_dependencies! method that was recently added to the base adapter. It should give a nice error message if the cli is not installed.

[justindell]

Should be all set! Let me know if you see anything else

[chrisdebruin]

@justindell Thanks for this addition just what I needed. However I found an issue when trying this out. I have some passwords containing ( and this goes wrong. For example:

results  = { test: 'password(' }
secrets = JSON.dump(results).shellescape =>  "\\{\\\"test\\\":\\\"password\\(\\\"\\}" 
JSON.parse(secrets) => unexpected token at '\{\"test\":\"password\(\"\}' (JSON::ParserError)

as you can see it is escaping the ( in the password string but it's not unescaped when reading it and trying to parse the json

[justindell]

@justindell Thanks for this addition just what I needed. However I found an issue when trying this out. I have some passwords containing ( and this goes wrong. For example:

results  = { test: 'password(' }
secrets = JSON.dump(results).shellescape =>  "\\{\\\"test\\\":\\\"password\\(\\\"\\}" 
JSON.parse(secrets) => unexpected token at '\{\"test\":\"password\(\"\}' (JSON::ParserError)

as you can see it is escaping the ( in the password string but it's not unescaped when reading it and trying to parse the json

Could it be related to this? #1009 What happens if you try the kamal secrets print command?

[chrisdebruin]

@justindell

here is output of kamal secrets print

./bin/kamal secrets print -d staging
SECRETS=\{\"staging/TEST\":\"password\(\",\"staging/TEST2\":\"bar\"\}
TEST=$(bundle exec kamal secrets extract TEST \{\"staging/TEST\":\"password\(\",\"staging/TEST2\":\"bar\"\})

when running bundle exec kamal secrets extract $SECRETS I get this error ERROR (JSON::ParserError):`

was able to fix it with a new method

 def extract(name, secrets)
    parsed_secrets = parse_secrets(secrets)
    ....
 end 

  def parse_secrets(secrets)
      secrets = secrets.shellsplit.first if secrets.start_with?("\\{")

      JSON.parse(secrets)
    end

[justindell]

This looks like an issue outside of the scope of the aws secrets manager. I just created passwords with both 1password and AWS Secrets Manager with a password value of "test(", and it looks like it isn't properly being extracted (although "test" works fine on both). Would you like to create an issue?

[chrisdebruin]

I'll create a PR to fix this issue