This repository has been archived by the owner on Jan 13, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathawsssm.go
110 lines (92 loc) · 2.67 KB
/
awsssm.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
package secrets
import (
"context"
"errors"
"fmt"
"regexp"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/ssm"
)
var _ SecretStorage = &AWSSSM{}
// AWSSSM is the AWS System Manager Parameter Store (aka SSM PS)
type AWSSSM struct {
AWSSSMConfig
client *ssm.SSM
}
type AWSSSMConfig struct {
AWSConfig
KeyID string // KMS key to use for decryption
}
func NewAWSSSMSecretProviderFromConfig(cfg AWSSSMConfig) (*AWSSSM, error) {
sess, err := session.NewSession()
if err != nil {
return nil, fmt.Errorf("creating aws session: %w", err)
}
awscfg := aws.NewConfig().
WithCredentials(credentials.NewCredentials(&credentials.StaticProvider{
Value: credentials.Value{
AccessKeyID: cfg.AccessKeyID,
SecretAccessKey: cfg.SecretAccessKey,
},
})).
WithEndpoint(cfg.Endpoint).
WithRegion(cfg.Region)
return &AWSSSM{
AWSSSMConfig: cfg,
client: ssm.New(sess, awscfg),
}, nil
}
func NewAWSSSM(client *ssm.SSM) *AWSSSM {
return &AWSSSM{
client: client,
}
}
var invalidSecretNameChars = regexp.MustCompile(`[^a-zA-Z0-9_.-/]`)
// SetSecret
// must have the secretsmanager:CreateSecret permission
// if using tags, must have secretsmanager:TagResource
// if using kms customer-managed keys, also need:
// - kms:GenerateDataKey
// - kms:Decrypt
func (s *AWSSSM) SetSecret(name string, secret []byte) error {
name = invalidSecretNameChars.ReplaceAllString(name, "_")
secretStr := string(secret)
var keyID *string
if len(s.KeyID) > 0 {
keyID = &s.KeyID
}
_, err := s.client.PutParameterWithContext(context.TODO(), &ssm.PutParameterInput{
KeyId: keyID, // the kms key to use to encrypt. empty = default key
Name: &name,
Overwrite: aws.Bool(true),
Type: aws.String("SecureString"),
Value: &secretStr,
})
if err != nil {
return fmt.Errorf("ssm: creating secret: %w", err)
}
return nil
}
// GetSecret
// must have permission secretsmanager:GetSecretValue
// kms:Decrypt - required only if you use a customer-managed Amazon Web Services KMS key to encrypt the secret
func (s *AWSSSM) GetSecret(name string) (secret []byte, err error) {
name = invalidSecretNameChars.ReplaceAllString(name, "_")
p, err := s.client.GetParameterWithContext(context.TODO(), &ssm.GetParameterInput{
Name: &name,
WithDecryption: aws.Bool(true),
})
if err != nil {
var aerr awserr.Error
if errors.As(err, &aerr) {
if aerr.Code() == ssm.ErrCodeParameterNotFound {
return nil, ErrNotFound
}
}
return nil, fmt.Errorf("ssm: get secret: %w", err)
}
return []byte(*p.Parameter.Value), nil
}