The code is using ListSecrets even though I have both defined AcceptedSecretArns and SecretsFilter

Kralizek / AWSSecretsManagerConfigurationExtensions

This repository contains a provider for Microsoft.Extensions.Configuration that retrieves secrets stored in AWS Secrets Manager.

MIT License

219 stars 43 forks source link

The code is using ListSecrets even though I have both defined AcceptedSecretArns and SecretsFilter #78

Closed jxwaters closed 1 year ago

jxwaters commented 1 year ago

When deployed to AWS, it fails calling

Kralizek.Extensions.Configuration.Internal.SecretsManagerConfigurationProvider.FetchAllSecretsAsync(CancellationToken cancellationToken)

With error

---> Amazon.SecretsManager.AmazonSecretsManagerException: User: arn:aws:sts::*REDACTED is not authorized to perform: secretsmanager:ListSecrets because no identity-based policy allows the secretsmanager:ListSecrets action

How do I get it to only get the requested secrets?

I am using partial ARNs (just the unique keynames - is that why?

Kralizek commented 1 year ago

As it is right now, the secretsmanager:ListSecrets API is invoked at least once. I can see why this could be an unexpected behavior and I think it's ok marking it as a bug or anyway something that can be fixed within the scope of the 2.0 release.

https://github.com/Kralizek/AWSSecretsManagerConfigurationExtensions/blob/6c8d0393a75cfdae0462fad5849920f15cb4f60d/src/Kralizek.Extensions.Configuration.AWSSecretsManager/Internal/SecretsManagerConfigurationProvider.cs#L182-L205

jxwaters commented 1 year ago

Actually, it was user error, it DOES work with AcceptedSecretARNs defined.

if (Options.AcceptedSecretArns.Count > 0) { return Options.AcceptedSecretArns.Select(x => new SecretListEntry{ARN = x, Name = x}).ToList(); }