From 7ca3e399fd4d589b65fc4f2d9fe7e80e677e37bd Mon Sep 17 00:00:00 2001
From: Dave Henderson <dhenderson@gmail.com>
Date: Mon, 31 Jan 2022 19:24:46 -0500
Subject: [PATCH] aws+sm datasource - support reading from SecretBinary when
 SecretString is not set

Signed-off-by: Dave Henderson <dhenderson@gmail.com>
---
 data/datasource_aws_sm.go      |  9 ++++++---
 data/datasource_aws_sm_test.go | 17 +++++++++++++++++
 docs/content/datasources.md    |  2 +-
 3 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/data/datasource_aws_sm.go b/data/datasource_aws_sm.go
index f64bf5fa8..8fce296ae 100644
--- a/data/datasource_aws_sm.go
+++ b/data/datasource_aws_sm.go
@@ -10,7 +10,6 @@ import (
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/request"
 	"github.com/aws/aws-sdk-go/service/secretsmanager"
-	"github.com/pkg/errors"
 
 	gaws "github.com/hairyhenderson/gomplate/v3/aws"
 )
@@ -77,8 +76,12 @@ func readAWSSecretsManagerParam(ctx context.Context, source *Source, paramPath s
 
 	response, err := source.awsSecretsManager.GetSecretValueWithContext(ctx, input)
 	if err != nil {
-		return nil, errors.Wrapf(err, "Error reading aws+sm from AWS using GetSecretValue with input %v", input)
+		return nil, fmt.Errorf("reading aws+sm source %q: %w", source.Alias, err)
 	}
 
-	return []byte(*response.SecretString), nil
+	if response.SecretString != nil {
+		return []byte(*response.SecretString), nil
+	}
+
+	return response.SecretBinary, nil
 }
diff --git a/data/datasource_aws_sm_test.go b/data/datasource_aws_sm_test.go
index 892d54296..c274dcf8c 100644
--- a/data/datasource_aws_sm_test.go
+++ b/data/datasource_aws_sm_test.go
@@ -157,3 +157,20 @@ func TestAWSSecretsManager_ReadSecret(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, []byte("blub"), output)
 }
+
+func TestAWSSecretsManager_ReadSecretBinary(t *testing.T) {
+	calledOk := false
+	s := simpleAWSSecretsManagerSourceHelper(DummyAWSSecretsManagerSecretGetter{
+		t: t,
+		mockGetSecretValue: func(input *secretsmanager.GetSecretValueInput) (*secretsmanager.GetSecretValueOutput, error) {
+			assert.Equal(t, "/foo/bar", *input.SecretId)
+			calledOk = true
+			return &secretsmanager.GetSecretValueOutput{SecretBinary: []byte("supersecret")}, nil
+		},
+	})
+
+	output, err := readAWSSecretsManagerParam(context.Background(), s, "/foo/bar")
+	assert.True(t, calledOk)
+	assert.NoError(t, err)
+	assert.Equal(t, []byte("supersecret"), output)
+}
diff --git a/docs/content/datasources.md b/docs/content/datasources.md
index 7743b88e0..6f9f02f80 100644
--- a/docs/content/datasources.md
+++ b/docs/content/datasources.md
@@ -222,7 +222,7 @@ For `aws+sm`, only the _scheme_ and _path_ components are necessary to be define
 
 ### Output
 
-The output will be the SecretString from the `GetSecretValueOutput` object from the [AWS SDK for Go](https://docs.aws.amazon.com/sdk-for-go/api/service/secretsmanager/#GetSecretValueOutput)
+The output will be the content of either the `SecretString` or `SecretBinary` field of the AWS SDK's `GetSecretValueOutput` object from the [AWS SDK for Go](https://docs.aws.amazon.com/sdk-for-go/api/service/secretsmanager/#GetSecretValueOutput)
 
 ### Examples