Sanitize secrets' names when using AddSecretsManager's AcceptedSecretArns option

Kralizek / AWSSecretsManagerConfigurationExtensions

This repository contains a provider for Microsoft.Extensions.Configuration that retrieves secrets stored in AWS Secrets Manager.

MIT License

231 stars 44 forks source link

Sanitize secrets' names when using AddSecretsManager's AcceptedSecretArns option #53

Closed hslavkov closed 3 years ago

hslavkov commented 3 years ago

Hi,

When using the option SecretFilter the secret is retrieved by its name When using the option AcceptedSecretArns the secret is retrieved by its ARN

In SecretListEntry class there's no difference between values of Name and ARN properties although the summary of Name suggests it to be the friendly name of the secret.

Suggestion: Make AcceptedSecretsArns return the expected friendly name in Name property so that could be used as path to the secret instead the current entire ARN.

Kralizek commented 3 years ago

Hi @hslavkov

Sorry for the late answer. Quite busy nowadays.

Could you please run something like the snippet below to show how the items are added to the configuration system?

void Main()
{
    var configuration = new ConfigurationBuilder().AddSecretsManager().Build();

    foreach (var item in configuration.AsEnumerable())
    {
        Console.WriteLine($"{item.Key} = '## SECRET VALUE ##'");
    }
}

hslavkov commented 3 years ago

No problem and thanks for replying!

This seems to be getting all the secret and their values in this way (note that my user has no restrictions):

SecretName:0:KeyName = '## SECRET VALUE ##'

hslavkov commented 3 years ago

The point is, when you use the .AddSecretsManager() configuratior options.AcceptedSecretArns then the secret would be returned like this:

ARN:SecretName:0:KeyName = '## SECRET VALUE ##'

It is possible I am missing something important..

Kralizek commented 3 years ago

Yeah, it feels wrong to me as well.

Kralizek commented 3 years ago

@hslavkov would you mind testing if the artifacts produced by this build are behaving as expected?

If you give me the ok, I'll publish the version 1.6.3 of the package :)

hslavkov commented 3 years ago

@Kralizek hi, I hereby confirm that with this pre-release version options.SecretFilter and options.AcceptedSecretArns options provide secrets in the same way where key to the secret is the secretName. Looks good to me! This fixes the problem of the prepended arn to the secret name => ARN:SecretName that came in with version 1.6.1

Thank you, please do comment on releasing this version officially as I follow this PR and would get an email notification.

Kralizek commented 3 years ago

@hslavkov I just released version 1.6.2. It should be on NuGet in half an hour.