Support secrets manager JSON secrets #342
Comments
github-actions
bot
added
aws-λ-extension
|
@agabeev-godaddy thanks for opening the issue. Sounds reasonable to accept JSON, particularly since AWS recommends encoding secrets as JSON in their docs.
Is this important for your use case? Would it be acceptable if we were to expect well-defined, non-configurable, keys like "secret_token" and "api_key"? As a user, you would specify the secret ID, and its contents would have a well-defined format like: {
"secret_token": "<secret token>"
}This would be similar to how AWS services expect JSON secrets with a specific JSON structure: https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_secret_json_structure.html |
|
Hi @axw , sorry for late reply, Can we use well-defined keys as fallback value, like 'secert_token' / 'api_key', but still allow to override? Thanks, |
It's technically possible, but I'd like to understand why this is important. Could you please describe your use case(s) for overriding the keys?
No - I'd just like to keep things simple, and follow the existing approach used by AWS services.
Definitely 👍 |
|
@axw , the reason behind is that there is a process which manages different ESSP installations and different keys are already in place. It may be hard to adjust, but I think it is manageable. However, we can go with approach you are suggested if we support additional fields in json. Thanks |
Is your feature request related to a problem? Please describe.
Common way to store secrets in AWS secrets manager is in a JSON format.
However, current implementation supports only plain string value when processing ELASTIC_APM_SECRETS_MANAGER_SECRET_TOKEN_ID environment variable:
https://github.com/elastic/apm-aws-lambda/blob/main/app/aws.go#L70
It may be useful to support json secrets as well.
Describe the solution you'd like
We may consider to introduce second level environment variables, like
ELASTIC_APM_SECRETS_MANAGER_SECRET_TOKEN_JSON_FIELD
ELASTIC_APM_SECRETS_MANAGER_API_KEY_JSON_FIELD
If these env variables are set, prior to using secret value, we may attempt to parse string secret value into unstructured JSON map and retrieve token/apikey from map based on provided json field, before this lines:
https://github.com/elastic/apm-aws-lambda/blob/main/app/aws.go#L41
https://github.com/elastic/apm-aws-lambda/blob/main/app/aws.go#L52
Describe alternatives you've considered
Additional context
Existing doc: https://www.elastic.co/guide/en/apm/lambda/current/aws-lambda-secrets-manager.html
The text was updated successfully, but these errors were encountered: