Add support for multiple keys per secret

Signed-off-by: Patrick Assuied <[email protected]>

Author: passuied

secretstores/aws/secretmanager/metadata.yaml

@@ -16,4 +16,10 @@ metadata:
     description: |
       The Secrets manager endpoint. The AWS SDK will generate a default endpoint if not specified. Useful for local testing with AWS LocalStack
     example: '"http://localhost:4566"'
-    type: string
+    type: string
+  - name: multipleKeysPerSecret
+    required: false
+    description: |
+      A boolean value to indicate if the secrets with multiple keys should break keys out.
+    example: "true"
+    type: bool

secretstores/aws/secretmanager/secretmanager.go

@@ -40,16 +40,18 @@ func NewSecretManager(logger logger.Logger) secretstores.SecretStore {
 }
 
 type SecretManagerMetaData struct {
-	Region       string `json:"region" mapstructure:"region" mdignore:"true"`
-	AccessKey    string `json:"accessKey" mapstructure:"accessKey" mdignore:"true"`
-	SecretKey    string `json:"secretKey" mapstructure:"secretKey" mdignore:"true"`
-	SessionToken string `json:"sessionToken" mapstructure:"sessionToken" mdignore:"true"`
-	Endpoint     string `json:"endpoint" mapstructure:"endpoint"`
+	Region                string `json:"region" mapstructure:"region" mdignore:"true"`
+	AccessKey             string `json:"accessKey" mapstructure:"accessKey" mdignore:"true"`
+	SecretKey             string `json:"secretKey" mapstructure:"secretKey" mdignore:"true"`
+	SessionToken          string `json:"sessionToken" mapstructure:"sessionToken" mdignore:"true"`
+	Endpoint              string `json:"endpoint" mapstructure:"endpoint"`
+	MultipleKeysPerSecret bool   `json:"multipleKeysPerSecret" mapstructure:"multipleKeysPerSecret"`
 }
 
 type smSecretStore struct {
-	authProvider awsAuth.Provider
-	logger       logger.Logger
+	authProvider          awsAuth.Provider
+	logger                logger.Logger
+	multipleKeysPerSecret bool
 }
 
 // Init creates an AWS secret manager client.
@@ -67,6 +69,7 @@ func (s *smSecretStore) Init(ctx context.Context, metadata secretstores.Metadata
 		SessionToken: meta.SessionToken,
 		Endpoint:     meta.Endpoint,
 	}
+	s.multipleKeysPerSecret = meta.MultipleKeysPerSecret
 
 	provider, err := awsAuth.NewProvider(ctx, opts, awsAuth.GetConfig(opts))
 	if err != nil {
@@ -76,6 +79,28 @@ func (s *smSecretStore) Init(ctx context.Context, metadata secretstores.Metadata
 	return nil
 }
 
+func (s *smSecretStore) formatSecret(output *secretsmanager.GetSecretValueOutput) map[string]string {
+	result := map[string]string{}
+
+	if output.Name != nil && output.SecretString != nil {
+		if s.multipleKeysPerSecret {
+			data := map[string]string{}
+			err := json.Unmarshal([]byte(*output.SecretString), &data)
+			if err == nil {
+				for k, v := range data {
+					result[*output.Name+":"+k] = v
+				}
+			} else {
+				result[*output.Name] = *output.SecretString
+			}
+		} else {
+			result[*output.Name] = *output.SecretString
+		}
+	}
+
+	return result
+}
+
 // GetSecret retrieves a secret using a key and returns a map of decrypted string/string values.
 func (s *smSecretStore) GetSecret(ctx context.Context, req secretstores.GetSecretRequest) (secretstores.GetSecretResponse, error) {
 	var versionID *string
@@ -98,9 +123,7 @@ func (s *smSecretStore) GetSecret(ctx context.Context, req secretstores.GetSecre
 	resp := secretstores.GetSecretResponse{
 		Data: map[string]string{},
 	}
-	if output.Name != nil && output.SecretString != nil {
-		resp.Data[*output.Name] = *output.SecretString
-	}
+	resp.Data = s.formatSecret(output)
 
 	return resp, nil
 }
@@ -131,9 +154,7 @@ func (s *smSecretStore) BulkGetSecret(ctx context.Context, req secretstores.Bulk
 				return secretstores.BulkGetSecretResponse{Data: nil}, fmt.Errorf("couldn't get secret: %s", *entry.Name)
 			}
 
-			if entry.Name != nil && secrets.SecretString != nil {
-				resp.Data[*entry.Name] = map[string]string{*entry.Name: *secrets.SecretString}
-			}
+			resp.Data[*entry.Name] = s.formatSecret(secrets)
 		}
 
 		nextToken = output.NextToken

secretstores/aws/secretmanager/secretmanager_test.go

@@ -162,6 +162,120 @@ func TestGetSecret(t *testing.T) {
 			require.NoError(t, e)
 			assert.Equal(t, secretValue, output.Data[req.Name])
 		})
+
+		t.Run("with multiple keys per secret", func(t *testing.T) {
+			mockSSM := &awsAuth.MockSecretManager{
+				GetSecretValueFn: func(ctx context.Context, input *secretsmanager.GetSecretValueInput, option ...request.Option) (*secretsmanager.GetSecretValueOutput, error) {
+					assert.Nil(t, input.VersionId)
+					assert.Nil(t, input.VersionStage)
+					secret := `{"key1":"value1","key2":"value2"}`
+
+					return &secretsmanager.GetSecretValueOutput{
+						Name:         input.SecretId,
+						SecretString: &secret,
+					}, nil
+				},
+			}
+
+			secret := awsAuth.SecretManagerClients{
+				Manager: mockSSM,
+			}
+
+			mockedClients := awsAuth.Clients{
+				Secret: &secret,
+			}
+			mockAuthProvider := &awsAuth.StaticAuth{}
+			mockAuthProvider.WithMockClients(&mockedClients)
+			s := smSecretStore{
+				authProvider:          mockAuthProvider,
+				multipleKeysPerSecret: true,
+			}
+
+			req := secretstores.GetSecretRequest{
+				Name:     "/aws/secret/testing",
+				Metadata: map[string]string{},
+			}
+			output, e := s.GetSecret(t.Context(), req)
+			require.NoError(t, e)
+			assert.Len(t, output.Data, 2)
+			assert.Equal(t, "value1", output.Data["/aws/secret/testing:key1"])
+			assert.Equal(t, "value2", output.Data["/aws/secret/testing:key2"])
+		})
+
+		t.Run("with multiple keys per secret and option disabled", func(t *testing.T) {
+			mockSSM := &awsAuth.MockSecretManager{
+				GetSecretValueFn: func(ctx context.Context, input *secretsmanager.GetSecretValueInput, option ...request.Option) (*secretsmanager.GetSecretValueOutput, error) {
+					assert.Nil(t, input.VersionId)
+					assert.Nil(t, input.VersionStage)
+					secret := `{"key1":"value1","key2":"value2"}`
+
+					return &secretsmanager.GetSecretValueOutput{
+						Name:         input.SecretId,
+						SecretString: &secret,
+					}, nil
+				},
+			}
+
+			secret := awsAuth.SecretManagerClients{
+				Manager: mockSSM,
+			}
+
+			mockedClients := awsAuth.Clients{
+				Secret: &secret,
+			}
+			mockAuthProvider := &awsAuth.StaticAuth{}
+			mockAuthProvider.WithMockClients(&mockedClients)
+			s := smSecretStore{
+				authProvider: mockAuthProvider,
+			}
+
+			req := secretstores.GetSecretRequest{
+				Name:     "/aws/secret/testing",
+				Metadata: map[string]string{},
+			}
+			output, e := s.GetSecret(t.Context(), req)
+			require.NoError(t, e)
+			assert.Len(t, output.Data, 1)
+			assert.Equal(t, `{"key1":"value1","key2":"value2"}`, output.Data["/aws/secret/testing"])
+		})
+
+		t.Run("with multiple keys per secret and secret is NOT json", func(t *testing.T) {
+			mockSSM := &awsAuth.MockSecretManager{
+				GetSecretValueFn: func(ctx context.Context, input *secretsmanager.GetSecretValueInput, option ...request.Option) (*secretsmanager.GetSecretValueOutput, error) {
+					assert.Nil(t, input.VersionId)
+					assert.Nil(t, input.VersionStage)
+					secret := "not json"
+
+					return &secretsmanager.GetSecretValueOutput{
+						Name:         input.SecretId,
+						SecretString: &secret,
+					}, nil
+				},
+			}
+
+			secret := awsAuth.SecretManagerClients{
+				Manager: mockSSM,
+			}
+
+			mockedClients := awsAuth.Clients{
+				Secret: &secret,
+			}
+			mockAuthProvider := &awsAuth.StaticAuth{}
+			mockAuthProvider.WithMockClients(&mockedClients)
+			s := smSecretStore{
+				authProvider:          mockAuthProvider,
+				multipleKeysPerSecret: true,
+			}
+
+			req := secretstores.GetSecretRequest{
+				Name:     "/aws/secret/testing",
+				Metadata: map[string]string{},
+			}
+			output, e := s.GetSecret(t.Context(), req)
+			require.NoError(t, e)
+			assert.Len(t, output.Data, 1)
+			assert.Equal(t, "not json", output.Data["/aws/secret/testing"])
+		})
 	})
 
 	t.Run("unsuccessfully retrieve secret", func(t *testing.T) {