search

awslabs / ssosync

Populate AWS SSO directly with your G Suite users and groups using either a CLI or AWS Lambda
Apache License 2.0
512 stars 175 forks source link

SSOSYNC_REGION environment variable is not respected when deployed as Lambda function #170

Closed anggras closed 5 months ago

anggras commented 6 months ago

Describe the bug When deployed as a Lambda function with SSOSYNC_REGION environment variable set to the arn of a Secret Manager Secret, ssosync still expects value from SSOSyncRegion Secret.

To Reproduce Steps to reproduce the behavior:

  1. Deploy ssosync version 2.1.2 as a Lambda function
  2. Configure environment variables SSOSYNC_GOOGLE_CREDENTIALS, SSOSYNC_GOOGLE_ADMIN, SSOSYNC_SCIM_ENDPOINT, SSOSYNC_SCIM_ACCESS_TOKEN, SSOSYNC_REGION, and SSOSYNC_IDENTITY_STORE_ID to the arns of the respective Secrets (non default Secret values).
  3. The following error will be asserted

    level=fatal msg="cannot read config: ResourceNotFoundException: Secrets Manager can't find the specified secret."

  4. Create a Secret Manager Secret named SSOSyncRegion
  5. Function runs successfully

Expected behavior ssosync should respect the SSOSYNC_REGION environment variable and fetch the secret value from the specified arn.

Additional context n/a

ChrisPates commented 6 months ago

How are you deploying the lambda? SAM SAR or something else?

Chris

On 8 Feb 2024, at 09:50, Anggra @.***> wrote:



Describe the bug When deployed as a Lambda function with SSOSYNC_REGION environment variable set to the arn of a Secret Manager Secret, ssosync still expects value from SSOSyncRegion Secret.

To Reproduce Steps to reproduce the behavior:

  1. Deploy ssosync version 2.1.2 https://github.com/awslabs/ssosync/releases/download/v2.1.2/ssosync_Linux_arm64.tar.gz as a Lambda function
  2. Configure environment variables SSOSYNC_GOOGLE_CREDENTIALS, SSOSYNC_GOOGLE_ADMIN, SSOSYNC_SCIM_ENDPOINT, SSOSYNC_SCIM_ACCESS_TOKEN, SSOSYNC_REGION, and SSOSYNC_IDENTITY_STORE_ID to the arns of the respective Secrets (non default Secret values).
  3. The following error will be asserted

level=fatal msg="cannot read config: ResourceNotFoundException: Secrets Manager can't find the specified secret."

  1. Create a Secret Manager Secret named SSOSyncRegion
  2. Function runs successfully

Expected behavior ssosync should respect the SSOSYNC_REGION environment variable and fetch the secret value from the specified arn.

Additional context n/a

— Reply to this email directly, view it on GitHub https://github.com/awslabs/ssosync/issues/170 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ABVULYMLECHIVC6QWINFBK3YSSNVZAVCNFSM6AAAAABC7NJON2VHI2DSMVQWIX3LMV43ASLTON2WKOZSGEZDINZUGYZTEMY . You are receiving this because you are subscribed to this thread. https://github.com/notifications/beacon/ABVULYLUI5UH5BTTN5OSVELYSSNVZA5CNFSM6AAAAABC7NJON2WGG33NNVSW45C7OR4XAZNFJFZXG5LFVJRW63LNMVXHIX3JMTHH5JIOKM.gif Message ID: @.***>

anggras commented 6 months ago

Hi @ChrisPates,

I renamed the binary to bootstrap, compressed to zip and uploaded it to a Lambda function.

Anggra

ChrisPates commented 6 months ago

Apologies for the delay, I have reproduced the behavior in my test environment. Having reviewed the code it may well apply to all secrets, I'm going to perform further testing and the look at implementing a fix.

anggras commented 6 months ago

No worries @ChrisPates , just created a PR with what I did for my internal use

ChrisPates commented 6 months ago

Thank you for sharing on closer inspection actually there is a broader issue with the Lambda Env Vars being ignored. I have a build I'm testing currently but it should address your original issue and some previously unidentified ones.