search

hairyhenderson / gomplate

A flexible commandline tool for template rendering. Supports lots of local and remote datasources.
https://gomplate.ca
MIT License
2.64k stars 181 forks source link

Secrets Manager Datasource Doesn't Appear to Work #2190

Open sjiveson opened 1 month ago

sjiveson commented 1 month ago 
./gomplate --version
gomplate version 4.1.0

aws --version
aws-cli/1.24.10 Python/3.6.8 Linux/4.18.0-553.8.1.el8_10.x86_64 botocore/1.26.10

cat /etc/redhat-release
Red Hat Enterprise Linux release 8.10 (Ootpa)

Hi,

I'm attempting to retrieve secrets using AWS Secrets Manager (on an EC2 instance), however, I'm getting this error:

ec2-user]# ./gomplate --verbose -d 'foo=aws+sm:' -i '{{ ds "foo" "goemplate" }}'
13:32:18 DBG starting gomplate
13:32:18 DBG config is:
---
datasources:
  foo:
    header: {}
    url: 'aws+sm:'
in: '{{ ds "f...'
 version=4.1.0 build=cc2584028866967a39b096265d5b9af4516c734f
13:32:18 DBG completed rendering templatesRendered=0 errors=1 duration=84.088165ms
13:32:18 ERR  err="renderTemplate: failed to render template <arg>: template: <arg>:1:3: executing \"<arg>\" at <ds \"foo\" \"goemplate\">: error calling ds: couldn't read datasource 'foo' (aws+sm:///goemplate): stat (url: \"aws+sm:///\", name: \"goemplate\"): stat goemplate: file does not exist"

Looking at my CloudTrail logs, I'm seeing this:

...
errorCode   ResourceNotFoundException
errorMessage    Secrets Manager can't find the specified secret.
eventCategory   Management
eventID NNee72f2-f237-4467-81b4-fe0d81f8cNNN
eventName   GetSecretValue
eventSource secretsmanager.amazonaws.com
eventTime   2024-07-23T13:23:37Z
eventType   AwsApiCall
eventVersion    1.09
managementEvent 1
readOnly    1
requestParameters.secretId  /goemplate
...

As you can see on that last line, a forward slash is being included at the start of the secretId when it shouldn't be. This also occurs if I specify, for instance, goemplate/something or goemplate/something/something.

Any assistance appreciated and thanks for a great tool.

hairyhenderson commented 1 month ago

I think this may a duplicate to #2180 - as a workaround, try setting the region?

sjiveson commented 1 month ago

It's not that unfortunately, the error message when I hadn't was very clear which was nice:

15:46:40 ERR  err="renderTemplate: failed to render template one.txt.tmpl: template: one.txt.tmpl:1:32: executing \"one.txt.tmpl\" at <ds \"testsource\" \"/goemplate/awssm/test\">: error calling ds: couldn't read datasource 'testsource' (aws+sm:///goemplate/awssm/test): stat (url: \"aws+sm:///\", name: \"goemplate/awssm/test\"): stat test: getSecretValue: operation error Secrets Manager: GetSecretValue, failed to resolve service endpoint, endpoint rule error, Invalid Configuration: Missing Region"
hairyhenderson commented 1 month ago

Ah - this reminds me of some strangeness I had to deal with in the old v3 implementation. Looks like some of that got lost in the v4/go-fsimple shuffle.