Check for errors from AWS secrets manager

sthagen · Dec 12, 2024 · e464177 · e464177
1 parent 68e6f82
commit e464177
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 3 deletions.
diff --git a/lib/kamal/secrets/adapters/aws_secrets_manager.rb b/lib/kamal/secrets/adapters/aws_secrets_manager.rb
@@ -6,7 +6,15 @@ def login(_account)
 
     def fetch_secrets(secrets, account:, session:)
       {}.tap do |results|
-        JSON.parse(get_from_secrets_manager(secrets, account: account))["SecretValues"].each do |secret|
+        secrets = JSON.parse(get_from_secrets_manager(secrets, account: account))
+
+        if secrets["Errors"].present?
+          first_error = secrets["Errors"].first
+
+          raise RuntimeError, "#{first_error['SecretId']}: #{first_error['Message']}"
+        end
+
+        secrets["SecretValues"].each do |secret|
           secret_name = secret["Name"]
           secret_string = JSON.parse(secret["SecretString"])
 
@@ -20,8 +28,8 @@ def fetch_secrets(secrets, account:, session:)
     end
 
     def get_from_secrets_manager(secrets, account:)
-      `aws secretsmanager batch-get-secret-value --secret-id-list #{secrets.map(&:shellescape).join(" ")} --profile #{account.shellescape}`.tap do
-        raise RuntimeError, "Could not read #{secret} from AWS Secrets Manager" unless $?.success?
+      `aws secretsmanager batch-get-secret-value --secret-id-list #{secrets.map(&:shellescape).join(" ")} --profile #{account.shellescape}`.tap do |secrets|
+        raise RuntimeError, "Could not read #{secrets} from AWS Secrets Manager" unless $?.success?
       end
     end
 

diff --git a/test/secrets/aws_secrets_manager_adapter_test.rb b/test/secrets/aws_secrets_manager_adapter_test.rb
@@ -1,6 +1,30 @@
 require "test_helper"
 
 class AwsSecretsManagerAdapterTest < SecretAdapterTestCase
+  test "fails when errors are present" do
+    stub_ticks.with("aws --version 2> /dev/null")
+    stub_ticks
+      .with("aws secretsmanager batch-get-secret-value --secret-id-list unknown-secret-id --profile default")
+      .returns(<<~JSON)
+        {
+          "SecretValues": [],
+          "Errors": [
+            {
+                "SecretId": "unknown-secret-id",
+                "ErrorCode": "ResourceNotFoundException",
+                "Message": "Secrets Manager can't find the specified secret."
+            }
+          ]
+        }
+      JSON
+
+    error = assert_raises RuntimeError do
+      JSON.parse(shellunescape(run_command("fetch", "unknown-secret-id")))
+    end
+
+    assert_equal "unknown-secret-id: Secrets Manager can't find the specified secret.", error.message
+  end
+
   test "fetch" do
     stub_ticks.with("aws --version 2> /dev/null")
     stub_ticks