forked from Cloud-Foundations/Dominator
/
awsSecretsManager.go
77 lines (72 loc) · 2.18 KB
/
awsSecretsManager.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
package repowatch
import (
"encoding/json"
"errors"
"fmt"
"sync"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/arn"
"github.com/aws/aws-sdk-go/aws/ec2metadata"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/secretsmanager"
)
var (
awsSecretsManagerLock sync.Mutex
awsSecretsManagerMetadataClient *ec2metadata.EC2Metadata
awsSecretsManagerMetadataClientError error
)
func getMetadataClient() (*ec2metadata.EC2Metadata, error) {
awsSecretsManagerLock.Lock()
defer awsSecretsManagerLock.Unlock()
if awsSecretsManagerMetadataClient != nil {
return awsSecretsManagerMetadataClient, nil
}
if awsSecretsManagerMetadataClientError != nil {
return nil, awsSecretsManagerMetadataClientError
}
metadataClient := ec2metadata.New(session.New())
if !metadataClient.Available() {
awsSecretsManagerMetadataClientError = errors.New(
"not running on AWS or metadata is not available")
return nil, awsSecretsManagerMetadataClientError
}
awsSecretsManagerMetadataClient = metadataClient
return awsSecretsManagerMetadataClient, nil
}
func getAwsSecret(metadataClient *ec2metadata.EC2Metadata,
secretId string) (map[string]string, error) {
var region string
if arn, err := arn.Parse(secretId); err == nil {
region = arn.Region
} else {
region, err = metadataClient.Region()
if err != nil {
return nil, err
}
}
awsSession, err := session.NewSession(&aws.Config{
Region: aws.String(region),
})
if err != nil {
return nil, fmt.Errorf("error creating session: %s", err)
}
if awsSession == nil {
return nil, errors.New("awsSession == nil")
}
awsService := secretsmanager.New(awsSession)
input := secretsmanager.GetSecretValueInput{SecretId: aws.String(secretId)}
output, err := awsService.GetSecretValue(&input)
if err != nil {
return nil,
fmt.Errorf("error calling secretsmanager:GetSecretValue: %s", err)
}
if output.SecretString == nil {
return nil, errors.New("no SecretString in secret")
}
secret := []byte(*output.SecretString)
var secrets map[string]string
if err := json.Unmarshal(secret, &secrets); err != nil {
return nil, fmt.Errorf("error unmarshaling secret: %s", err)
}
return secrets, nil
}