Fix Secrets Manager ARN lookup failing when suffix is absent in user-supplied ARN#93
Open
mheffner wants to merge 2 commits into
Open
Fix Secrets Manager ARN lookup failing when suffix is absent in user-supplied ARN#93mheffner wants to merge 2 commits into
mheffner wants to merge 2 commits into
Conversation
…supplied ARN AWS Secrets Manager always returns the full ARN with its random 6-char suffix (e.g. myapp/api_key-AbCdEf) in BatchGetSecretValue responses, even when the caller specified the ARN without that suffix. The returned ARN failed to match back against arns_by_base, causing a spurious "Returned secret ARN was not found" error. Add a strip_sm_arn_suffix fallback so that if the direct ARN lookup misses, we try again after stripping the trailing -XXXXXX suffix.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
myapp/api_key-AbCdEf) inBatchGetSecretValueresponses, even when the caller specified the ARN without that suffix (or via secret name / partial ARN).resolve_secretsinenv.rsbuildsarns_by_basekeyed by the user-supplied ARN (no suffix), then looks up the returned ARN — which has the suffix — and fails to find a match, producing a spuriousReturned secret ARN was not founderror.strip_sm_arn_suffixhelper that detects and strips the trailing-XXXXXXportion. The lookup now falls back to the suffix-stripped ARN if the direct match misses.Resolves: #92
Test plan
test_strip_sm_arn_suffixcovers: full ARN with suffix → stripped, ARN without suffix → no-op, short/5-char suffix → no-opROTEL_EXPORTER_CUSTOM_HEADERS=Authorization=Bearer ${arn:aws:secretsmanager:REGION:ACCOUNT:secret:NAME}(without suffix) and confirm the extension loads the secret successfully