Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: Introduce new query parameter for jsonKey to enable common use case #55

Open
jfisheratwork opened this issue Jan 7, 2025 · 2 comments
Open

Enhancement: Introduce new query parameter for jsonKey to enable common use case #55

jfisheratwork opened this issue Jan 7, 2025 · 2 comments
Labels
enhancement New feature or request

Comments

@jfisheratwork
Copy link

jfisheratwork commented Jan 7, 2025
edited
Loading

Enhancement to provide for common use case looking for a specific key (password) out of the secret payload

Often though many different pieces of data are in the Secret Manager JSON payload the data the application is interested in is simply the password or secret at hand.

Look to add parity similar to how it works when retrieving directly from ECS/task definition

Implementation details/concerns:

  • As the payload would change should it be a different end point or just an additional query param?
  • What type of validation and error codes would be needed for when json key is not present?

Option 1:
Add a new simple query parameter
http://localhost:2773/secretsmanager/get?secretId=<YOUR_SECRET_ID>&jsonKey=password

(Less Ideal) Resulting payload BAU with new response key SecretKeyValue

{
    "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3",
    "Name": "MyTestSecret",
    "VersionId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
    "SecretString": "{\"username\":\"diegor\",\"password\":\"EXAMPLE-PASSWORD\"}",
    "SecretKeyValue": "EXAMPLE-PASSWORD"
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1523477145.713
}

(More Ideal) Resulting payload that breaks the contract of original query response

EXAMPLE-PASSWORD

Option 2:
Introduce a different endpoint to allow for different payload

http://localhost:2773/secretsmanager/<YOUR_SECRET_ID>/password

Resulting payload

EXAMPLE-PASSWORD

I am open to trying to help contribute if issue is excepted
@jfisheratwork jfisheratwork added the enhancement New feature or request label Jan 7, 2025
@simonmarty
Copy link
Contributor

simonmarty commented Jan 15, 2025
edited
Loading

Having each consumer of the agent have to do additional work to parse json and retrieve is error prone.

Do you have examples of situations where this is error prone? jq/language specific JSON libraries are trivial to use. I worry this would pollute the agent API unnecessarily.

@jfisheratwork
Copy link
Author

jfisheratwork commented Jan 17, 2025
edited
Loading

The observation I was making was more related to trying to provide for a common use case.

Often though many different pieces of data are in the Secret Manager JSON payload the data the application is interested in is simply the password or secret at hand.

When looking at the way AWS ECS provided for injecting secrets I really appreciated they added the ability to specify a query including the json key

arn:aws:secretsmanager:region:aws_account_id:secret:secret-name:json-key:version-stage:version-id

So in this case its not so much about trying avoid an error or use of JSON library within the application but instead looking to provide a way that more succinctly allows the application to request exactly what it is looking for.

@jfisheratwork jfisheratwork changed the title Introduced new query parameter for jsonKey Enhancement: Introduce new query parameter for jsonKey to enable common use case Jan 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jfisheratwork @simonmarty