diff --git a/Dockerfile b/Dockerfile index 2ceea4b..51e69ee 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM amazonlinux:2 -ADD https://github.com/s12v/exec-with-secrets/releases/latest/download/exec-with-secrets-linux-amd64 /exec-with-secrets +ADD https://github.com/johnrichardrinehart/exec-with-secrets/releases/latest/download/exec-with-secrets-linux-amd64 /exec-with-secrets RUN chmod +x /exec-with-secrets diff --git a/README.md b/README.md index 198135a..22a8583 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ -[![Build Status](https://travis-ci.com/s12v/exec-with-secrets.svg?branch=master)](https://travis-ci.com/s12v/exec-with-secrets) -[![codecov](https://codecov.io/gh/s12v/exec-with-secrets/branch/master/graph/badge.svg)](https://codecov.io/gh/s12v/exec-with-secrets) +[![Build Status](https://travis-ci.com/johnrichardrinehart/exec-with-secrets.svg?branch=master)](https://travis-ci.com/johnrichardrinehart/exec-with-secrets) +[![codecov](https://codecov.io/gh/johnrichardrinehart/exec-with-secrets/branch/master/graph/badge.svg)](https://codecov.io/gh/johnrichardrinehart/exec-with-secrets) # Inject secrets from AWS KMS/SSM/Secrets Manager and Azure Key Vault into your app environment @@ -69,4 +69,4 @@ make TAGS=awsssm ## Adding a new provider -See example PR: https://github.com/s12v/exec-with-secrets/pull/1 +See example PR: https://github.com/johnrichardrinehart/exec-with-secrets/pull/1 diff --git a/go.mod b/go.mod index 58f748c..8cca3c5 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,4 @@ -module github.com/s12v/exec-with-secrets - -require github.com/aws/aws-sdk-go-v2 v0.24.0 +module github.com/johnrichardrinehart/exec-with-secrets require ( github.com/Azure/azure-sdk-for-go v30.1.0+incompatible @@ -8,6 +6,12 @@ require ( github.com/Azure/go-autorest/autorest/azure/auth v0.1.0 // indirect github.com/Azure/go-autorest/autorest/to v0.2.0 // indirect github.com/Azure/go-autorest/autorest/validation v0.1.0 // indirect + github.com/aws/aws-sdk-go-v2 v1.9.0 + github.com/aws/aws-sdk-go-v2/config v1.8.1 + github.com/aws/aws-sdk-go-v2/service/kms v1.6.0 + github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.6.0 + github.com/aws/aws-sdk-go-v2/service/ssm v1.10.0 + github.com/stretchr/testify v1.4.0 // indirect ) go 1.13 diff --git a/go.sum b/go.sum index 98c3919..8973ee7 100644 --- a/go.sum +++ b/go.sum @@ -37,8 +37,30 @@ github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMx github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= -github.com/aws/aws-sdk-go-v2 v0.24.0 h1:R0lL0krk9EyTI1vmO1ycoeceGZotSzCKO51LbPGq3rU= -github.com/aws/aws-sdk-go-v2 v0.24.0/go.mod h1:2LhT7UgHOXK3UXONKI5OMgIyoQL6zTAw/jwIeX6yqzw= +github.com/aws/aws-sdk-go-v2 v1.9.0 h1:+S+dSqQCN3MSU5vJRu1HqHrq00cJn6heIMU7X9hcsoo= +github.com/aws/aws-sdk-go-v2 v1.9.0/go.mod h1:cK/D0BBs0b/oWPIcX/Z/obahJK1TT7IPVjy53i/mX/4= +github.com/aws/aws-sdk-go-v2/config v1.8.1 h1:AcAenV2NVwOViG+3ts73uT08L1olN4NBNNz7lUlHSUo= +github.com/aws/aws-sdk-go-v2/config v1.8.1/go.mod h1:AQtpYfVYjuuft4Dgh0jGSkPQJ9MvmK9vXfSub7oSXlI= +github.com/aws/aws-sdk-go-v2/credentials v1.4.1 h1:oDiUP50hKRwC6xAgESAj46lgL2prJRZQWnCBzn+TU/c= +github.com/aws/aws-sdk-go-v2/credentials v1.4.1/go.mod h1:dgGR+Qq7Wjcd4AOAW5Rf5Tnv3+x7ed6kETXyS9WCuAY= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.5.0 h1:OxTAgH8Y4BXHD6PGCJ8DHx2kaZPCQfSTqmDsdRZFezE= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.5.0/go.mod h1:CpNzHK9VEFUCknu50kkB8z58AH2B5DvPP7ea1LHve/Y= +github.com/aws/aws-sdk-go-v2/internal/ini v1.2.2 h1:d95cddM3yTm4qffj3P6EnP+TzX1SSkWaQypXSgT/hpA= +github.com/aws/aws-sdk-go-v2/internal/ini v1.2.2/go.mod h1:BQV0agm+JEhqR+2RT5e1XTFIDcAAV0eW6z2trp+iduw= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.3.0 h1:VNJ5NLBteVXEwE2F1zEXVmyIH58mZ6kIQGJoC7C+vkg= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.3.0/go.mod h1:R1KK+vY8AfalhG1AOu5e35pOD2SdoPKQCFLTvnxiohk= +github.com/aws/aws-sdk-go-v2/service/kms v1.6.0 h1:HT72gDSqXoE9xZ7x7lvfyIjNOgvwT4Gqvjs0UsVrDBA= +github.com/aws/aws-sdk-go-v2/service/kms v1.6.0/go.mod h1:w7JuP9Oq1IKMFQPkNe3V6s9rOssXzOVEMNEqK1L1bao= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.6.0 h1:3vxYnnbPWwECs3xN+cu/bRefhynMOH6elQAxuHES01Q= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.6.0/go.mod h1:B+7C5UKdVq1ylkI/A6O8wcurFtaux0R1njePNPtKwoA= +github.com/aws/aws-sdk-go-v2/service/ssm v1.10.0 h1:kEYH8NMfMA5gC5MMcEr5gVtJxyGmaxIYJwwZ7T6ygNs= +github.com/aws/aws-sdk-go-v2/service/ssm v1.10.0/go.mod h1:4dXS5YNqI3SNbetQ7X7vfsMlX6ZnboJA2dulBwJx7+g= +github.com/aws/aws-sdk-go-v2/service/sso v1.4.0 h1:sHXMIKYS6YiLPzmKSvDpPmOpJDHxmAUgbiF49YNVztg= +github.com/aws/aws-sdk-go-v2/service/sso v1.4.0/go.mod h1:+1fpWnL96DL23aXPpMGbsmKe8jLTEfbjuQoA4WS1VaA= +github.com/aws/aws-sdk-go-v2/service/sts v1.7.0 h1:1at4e5P+lvHNl2nUktdM2/v+rpICg/QSEr9TO/uW9vU= +github.com/aws/aws-sdk-go-v2/service/sts v1.7.0/go.mod h1:0qcSMCyASQPN2sk/1KQLQ2Fh6yq8wm0HSDAimPhzCoM= +github.com/aws/smithy-go v1.8.0 h1:AEwwwXQZtUwP5Mz506FeXXrKBe0jA8gVM+1gEcSRooc= +github.com/aws/smithy-go v1.8.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= @@ -57,7 +79,6 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= -github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= @@ -67,15 +88,18 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= -github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4= -github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ= +github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/grpc-ecosystem/grpc-gateway v1.8.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= -github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM= -github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -134,7 +158,6 @@ golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73r golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -174,7 +197,8 @@ gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff --git a/main.go b/main.go index e41c665..2d0e99b 100644 --- a/main.go +++ b/main.go @@ -2,14 +2,15 @@ package main import ( "fmt" - "github.com/s12v/exec-with-secrets/provider" - _ "github.com/s12v/exec-with-secrets/provider/awskms" - _ "github.com/s12v/exec-with-secrets/provider/awssecretsmanager" - _ "github.com/s12v/exec-with-secrets/provider/awsssm" - _ "github.com/s12v/exec-with-secrets/provider/azurekeyvault" "os" "os/exec" "syscall" + + "github.com/johnrichardrinehart/exec-with-secrets/provider" + _ "github.com/johnrichardrinehart/exec-with-secrets/provider/awskms" + _ "github.com/johnrichardrinehart/exec-with-secrets/provider/awssecretsmanager" + _ "github.com/johnrichardrinehart/exec-with-secrets/provider/awsssm" + _ "github.com/johnrichardrinehart/exec-with-secrets/provider/azurekeyvault" ) func main() { diff --git a/provider/awskms/awskms.go b/provider/awskms/awskms.go index 558ebb5..6ca1392 100644 --- a/provider/awskms/awskms.go +++ b/provider/awskms/awskms.go @@ -7,10 +7,13 @@ import ( "encoding/base64" "errors" "fmt" - "github.com/aws/aws-sdk-go-v2/aws/external" - "github.com/aws/aws-sdk-go-v2/service/kms" - "github.com/s12v/exec-with-secrets/provider" + "os" "strings" + "time" + + "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/service/kms" + "github.com/johnrichardrinehart/exec-with-secrets/provider" ) type KmsProvider struct { @@ -22,21 +25,35 @@ const prefix = "{aws-kms}" var decrypt func(awsKmsClient *kms.Client, input *kms.DecryptInput) (*kms.DecryptOutput, error) func init() { - cfg, err := external.LoadDefaultAWSConfig() + decrypt = awsDecrypt + + cfg, err := config.LoadDefaultConfig( + context.TODO(), + config.WithSharedConfigProfile("default"), + ) if err != nil { - panic("unable to load AWS-SDK config, " + err.Error()) + fmt.Println("error obtaining AWS credentials:", err) + os.Exit(1) } - decrypt = awsDecrypt - provider.Register(&KmsProvider{kms.New(cfg)}) + opts := kms.Options{ + Region: "us-east-1", + Credentials: cfg.Credentials, + } + + kmsClient := kms.New(opts) + + provider.Register(&KmsProvider{kmsClient}) } func awsDecrypt(awsKmsClient *kms.Client, input *kms.DecryptInput) (*kms.DecryptOutput, error) { - ctx := context.Background() - if resp, err := awsKmsClient.DecryptRequest(input).Send(ctx); err != nil { + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) + defer cancel() + resp, err := awsKmsClient.Decrypt(ctx, input) + if err != nil { return nil, errors.New(fmt.Sprintf("KMS error: %v", err)) } else { - return resp.DecryptOutput, nil + return resp, nil } } @@ -51,12 +68,9 @@ func (p *KmsProvider) Decode(val string) (string, error) { } input := &kms.DecryptInput{CiphertextBlob: blob} - if err = input.Validate(); err != nil { - return "", err - } if output, err := decrypt(p.awsKmsClient, input); err != nil { - return "", err + return "", fmt.Errorf("failed to decrypt secret %s: %s", val, err) } else { return string(output.Plaintext), nil } diff --git a/provider/awssecretsmanager/awsecretsmanager.go b/provider/awssecretsmanager/awsecretsmanager.go index 3c23781..739084f 100644 --- a/provider/awssecretsmanager/awsecretsmanager.go +++ b/provider/awssecretsmanager/awsecretsmanager.go @@ -5,14 +5,16 @@ package awssecretsmanager import ( "context" "encoding/json" - "errors" "fmt" - "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/aws/external" - "github.com/aws/aws-sdk-go-v2/service/secretsmanager" - "github.com/s12v/exec-with-secrets/provider" + "os" "regexp" "strings" + "time" + + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/service/secretsmanager" + "github.com/johnrichardrinehart/exec-with-secrets/provider" ) type SecretsManagerProvider struct { @@ -28,24 +30,36 @@ var fetch func( input *secretsmanager.GetSecretValueInput) (*secretsmanager.GetSecretValueOutput, error) func init() { - cfg, err := external.LoadDefaultAWSConfig() + fetch = awsFetch // set global + + cfg, err := config.LoadDefaultConfig( + context.TODO(), + config.WithSharedConfigProfile("default"), + ) if err != nil { - panic("unable to load AWS-SDK config, " + err.Error()) + fmt.Println("error obtaining AWS credentials:", err) + os.Exit(1) } - fetch = awsFetch - provider.Register(&SecretsManagerProvider{secretsmanager.New(cfg)}) + opts := secretsmanager.Options{ + Region: "us-east-1", + Credentials: cfg.Credentials, + } + smClient := secretsmanager.New(opts) + + provider.Register(&SecretsManagerProvider{smClient}) // register externally } func awsFetch( awsClient *secretsmanager.Client, input *secretsmanager.GetSecretValueInput) (*secretsmanager.GetSecretValueOutput, error) { - ctx := context.Background() - if resp, err := awsClient.GetSecretValueRequest(input).Send(ctx); err != nil { - return nil, errors.New(fmt.Sprintf("AWS SecretsManager error: %v", err)) - } else { - return resp.GetSecretValueOutput, nil + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) + defer cancel() + resp, err := awsClient.GetSecretValue(ctx, input) + if err != nil { + return nil, fmt.Errorf("AWS SecretsManager error: %v", err) } + return resp, nil } func (p *SecretsManagerProvider) Match(val string) bool { @@ -71,7 +85,7 @@ func (p *SecretsManagerProvider) decodeJson(val string, property string) (string properties, _ := unmarshal(jsobj) value, ok := properties[property] if !ok { - return "", errors.New(fmt.Sprintf("property '%v' does not exist", property)) + return "", fmt.Errorf("property '%v' does not exist", property) } return value, nil } @@ -80,12 +94,9 @@ func (p *SecretsManagerProvider) fetchString(name string) (string, error) { input := &secretsmanager.GetSecretValueInput{ SecretId: aws.String(name), } - if err := input.Validate(); err != nil { - return "", err - } if output, err := fetch(p.awsClient, input); err != nil { - return "", err + return "", fmt.Errorf("failed to fetch secret %s: %s", name, err) } else { return *output.SecretString, nil } diff --git a/provider/awsssm/awsssm.go b/provider/awsssm/awsssm.go index 4f9c93e..54d3baa 100644 --- a/provider/awsssm/awsssm.go +++ b/provider/awsssm/awsssm.go @@ -6,10 +6,13 @@ import ( "context" "errors" "fmt" - "github.com/aws/aws-sdk-go-v2/aws/external" - "github.com/aws/aws-sdk-go-v2/service/ssm" - "github.com/s12v/exec-with-secrets/provider" + "os" "strings" + "time" + + "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/service/ssm" + "github.com/johnrichardrinehart/exec-with-secrets/provider" ) type SsmProvider struct { @@ -21,21 +24,34 @@ const prefix = "{aws-ssm}" var fetch func(awsSsmClient *ssm.Client, input *ssm.GetParameterInput) (*ssm.GetParameterOutput, error) func init() { - cfg, err := external.LoadDefaultAWSConfig() + fetch = awsFetch + + cfg, err := config.LoadDefaultConfig( + context.TODO(), + config.WithSharedConfigProfile("default"), + ) if err != nil { - panic("unable to load AWS-SDK config, " + err.Error()) + fmt.Println("error obtaining AWS credentials:", err) + os.Exit(1) } - fetch = awsFetch - provider.Register(&SsmProvider{ssm.New(cfg)}) + opts := ssm.Options{ + Credentials: cfg.Credentials, + } + + ssmClient := ssm.New(opts) + + provider.Register(&SsmProvider{ssmClient}) } func awsFetch(awsSsmClient *ssm.Client, input *ssm.GetParameterInput) (*ssm.GetParameterOutput, error) { - ctx := context.Background() - if resp, err := awsSsmClient.GetParameterRequest(input).Send(ctx); err != nil { + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) + defer cancel() + resp, err := awsSsmClient.GetParameter(ctx, input) + if err != nil { return nil, errors.New(fmt.Sprintf("SSM error: %v", err)) } else { - return resp.GetParameterOutput, nil + return resp, nil } } @@ -45,14 +61,10 @@ func (p *SsmProvider) Match(val string) bool { func (p *SsmProvider) Decode(val string) (string, error) { name := val[len(prefix):] - var withEncryption = true - input := &ssm.GetParameterInput{Name: &name, WithDecryption: &withEncryption} - if err := input.Validate(); err != nil { - return "", err - } + input := &ssm.GetParameterInput{Name: &name, WithDecryption: true} if output, err := fetch(p.awsSsmClient, input); err != nil { - return "", err + return "", fmt.Errorf("failed to fetch secret %s: %s", name, err) } else { return *output.Parameter.Value, nil } diff --git a/provider/awsssm/awsssm_test.go b/provider/awsssm/awsssm_test.go index e2c00af..b70659b 100644 --- a/provider/awsssm/awsssm_test.go +++ b/provider/awsssm/awsssm_test.go @@ -3,8 +3,10 @@ package awsssm import ( - "github.com/aws/aws-sdk-go-v2/service/ssm" "testing" + + "github.com/aws/aws-sdk-go-v2/service/ssm" + "github.com/aws/aws-sdk-go-v2/service/ssm/types" ) func TestSsmProvider_Match(t *testing.T) { @@ -28,7 +30,7 @@ func TestSsmProvider_Decode(t *testing.T) { t.Fatalf("unexpected name %v", input.Name) } - return &ssm.GetParameterOutput{Parameter: &ssm.Parameter{Value: &value}}, nil + return &ssm.GetParameterOutput{Parameter: &types.Parameter{Value: &value}}, nil } if r, _ := ssmProvider.Decode("{aws-ssm}/foo/bar"); r != "boom" { diff --git a/provider/azurekeyvault/azurekeyvault.go b/provider/azurekeyvault/azurekeyvault.go index a754861..4c8dbe9 100644 --- a/provider/azurekeyvault/azurekeyvault.go +++ b/provider/azurekeyvault/azurekeyvault.go @@ -9,7 +9,7 @@ import ( "github.com/Azure/azure-sdk-for-go/services/keyvault/auth" "github.com/Azure/go-autorest/autorest" "github.com/Azure/go-autorest/autorest/azure" - "github.com/s12v/exec-with-secrets/provider" + "github.com/johnrichardrinehart/exec-with-secrets/provider" "os" "strings" )