aws+sm datasource only supports path-like secret names

[RecuencoJones]

As per #867, looks like aws+sm schema only works with Unix path secret names (/like/this) but would fail otherwise,

Test with a secret named some-secrets:

gomplate \
  -c 'secrets=aws+sm://some-secrets?type=application/json' \
  --in {{ .secrets.test }}

Failing with:

Couldn't read datasource 'secrets': Error reading aws+sm from AWS using GetSecretValue with input {
  SecretId: ""
}

However, when just using aws+sm: as a datasource then it can be used like this:

gomplate \
  -d 'secrets=aws+sm:?type=application/json' \
  --in '{{ (ds "secrets" "some-secrets").test }}'

[hairyhenderson]

Hmm... There's some ambiguity here. Given aws+sm:///foo, should the name be /foo or foo? absolute URL paths always start with /, which is why the behaviour is as-is right now. But that's clearly not OK in this particular case.

An option is to support an opaque URI, like aws+sm:foo, and then use foo as the name.

What would be especially awkward is to use the authority part and have aws+sm://foo, but I don't like that at all, since it closes the door on being able to override the aws+sm endpoint. Plus it's not a hostname 😉

How does the opaque option sound @RecuencoJones? In your example you'd use this command:

gomplate \
  -c 'secrets=aws+sm:some-secrets?type=application/json' \
  --in {{ .secrets.test }}

If this works, it probably should be applied to the aws+smp datasource as well.

[RecuencoJones]

I think the opaque URI fits really well, I actually tested the following and worked with a secret named /some-secrets btw:

gomplate \
  -c 'secrets=aws+sm:/some-secrets?type=application/json' \
  --in {{ .secrets.test }}

So definitely, having just aws+sm:<secret-name>[?query][#fragment] would be perfect and much more intuitive for this datasource 😄

[hairyhenderson]

I think aws+sm:/some-secrets would be normalized to aws+sm:///some-secrets internally, which is why it works.

Glad to hear the opaque one works - I'll use that for the bugfix 🙂

[shashank201192]

@hairyhenderson, I am currently trying to use aws+sm datasource but it seems to be broken with 4.x gomplate while same is working with gomplate 3.x. After checking related cloudtrail event, I see that gomplate is adding "/" as prefix for Opaque URLs to secret manager ID.

For example, with gomplate 4.x, when I try running gomplate -c 'secrets=aws+sm:foo' --in {{.secrets}} then it's trying to get secret value for ID "/foo".

Is it related to breaking changes in 4.x gomplate?

[hairyhenderson]

@shashank201192 please file an issue or start a discussion - this issue has been closed for over 4 years