Skip to content

Fix Secrets Manager ARN lookup failing when suffix is absent in user-supplied ARN#93

Open
mheffner wants to merge 2 commits into
mainfrom
fix/sm-arn-suffix-lookup
Open

Fix Secrets Manager ARN lookup failing when suffix is absent in user-supplied ARN#93
mheffner wants to merge 2 commits into
mainfrom
fix/sm-arn-suffix-lookup

Conversation

@mheffner

@mheffner mheffner commented Jun 29, 2026

Copy link
Copy Markdown
Member

Summary

  • AWS Secrets Manager always returns the full ARN with its random 6-char suffix (e.g. myapp/api_key-AbCdEf) in BatchGetSecretValue responses, even when the caller specified the ARN without that suffix (or via secret name / partial ARN).
  • resolve_secrets in env.rs builds arns_by_base keyed by the user-supplied ARN (no suffix), then looks up the returned ARN — which has the suffix — and fails to find a match, producing a spurious Returned secret ARN was not found error.
  • Fix adds a strip_sm_arn_suffix helper that detects and strips the trailing -XXXXXX portion. The lookup now falls back to the suffix-stripped ARN if the direct match misses.

Resolves: #92

Test plan

  • New unit test test_strip_sm_arn_suffix covers: full ARN with suffix → stripped, ARN without suffix → no-op, short/5-char suffix → no-op
  • Existing unit and integration tests pass
  • Manual verification: set ROTEL_EXPORTER_CUSTOM_HEADERS=Authorization=Bearer ${arn:aws:secretsmanager:REGION:ACCOUNT:secret:NAME} (without suffix) and confirm the extension loads the secret successfully

mheffner added 2 commits June 28, 2026 22:53
…supplied ARN

AWS Secrets Manager always returns the full ARN with its random 6-char suffix
(e.g. myapp/api_key-AbCdEf) in BatchGetSecretValue responses, even when the
caller specified the ARN without that suffix. The returned ARN failed to match
back against arns_by_base, causing a spurious "Returned secret ARN was not
found" error.

Add a strip_sm_arn_suffix fallback so that if the direct ARN lookup misses, we
try again after stripping the trailing -XXXXXX suffix.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Secretsmanager lookup fails with partial ARN

1 participant