Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS Secrets Manager Bearer Token Value Parsing #35

Closed
jimmyraywv opened this issue Apr 22, 2022 · 5 comments
Closed

AWS Secrets Manager Bearer Token Value Parsing #35

jimmyraywv opened this issue Apr 22, 2022 · 5 comments

Comments

@jimmyraywv
Copy link

jimmyraywv commented Apr 22, 2022
edited

Does the AWS Secrets Manager bearer token value need parsing? Your code:

https://github.com/StyraInc/opa-aws-cloudformation-hook/blob/main/hooks/src/styra_opa_hook/handlers.py#L28-L44

Returns the SecretString from SecretsManager: {"opa_auth_token": "<VALUE>"}.

Are you expecting that entire string {"opa_auth_token": "<VALUE>"} to be configured in the OPA sever token auth? Or do we need to parse the actual value out with something like:

`if 'SecretString' in resp:
    return list(json.loads(resp['SecretString']).values())[0]`
@anderseknert
Copy link
Member

Hi Jimmy! The SecretString is expected to be the token itself, not presented as a key/value JSON object. I tried to express this in the docs:

Note that the token should be provided as a plain string in the secret (i.e. the SecretString) and not wrapped in a JSON object.

But perhaps it could be phrased better? 🤔

@jimmyraywv
Copy link
Author

So, maybe I am doing something wrong, but I don't see how you can enter just a value. It requires a key as well. When you retrieve the SecretString, it is a K/V pair, in a string. You can enter just a key with no value, but it still returns a K/V string, just with an empty value position.

Also, your hook config schema refers to the opaAuthTokenSecret key being set to opa_auth_token.

{"opaAuthTokenSecret":{"description":"ARN referencing a secret containing a token to use for authenticating against OPA (secret key must be 'opa_auth_token')","type":"string"},

@jimmyraywv
Copy link
Author

jimmyraywv commented Apr 25, 2022
edited

So, if you use the plain-text, and not the key/value fields then it should work, for a value with no key. In the AWS CLI, it would be:

aws secretsmanager create-secret --name opa_auth_otken --secret-string "<VALUE>"

I guess the secret key must be 'opa_auth_token') confused me.

Perhaps it should be referenced as "Secret Name", instead.

@anderseknert
Copy link
Member

Ah, yes, that's probably from an older iteration! Thanks for pointing that out 👍 Do you want to submit a PR to remove that or should I?

This was referenced Aug 2, 2022
Closed
Merged
@anderseknert
Copy link
Member

Fixed in #42. Thanks @pauly4it 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anderseknert @jimmyraywv