Secrets Manager Datasource Doesn't Appear to Work
Opened this issue · 3 comments
./gomplate --version
gomplate version 4.1.0
aws --version
aws-cli/1.24.10 Python/3.6.8 Linux/4.18.0-553.8.1.el8_10.x86_64 botocore/1.26.10
cat /etc/redhat-release
Red Hat Enterprise Linux release 8.10 (Ootpa)
Hi,
I'm attempting to retrieve secrets using AWS Secrets Manager (on an EC2 instance), however, I'm getting this error:
ec2-user]# ./gomplate --verbose -d 'foo=aws+sm:' -i '{{ ds "foo" "goemplate" }}'
13:32:18 DBG starting gomplate
13:32:18 DBG config is:
---
datasources:
foo:
header: {}
url: 'aws+sm:'
in: '{{ ds "f...'
version=4.1.0 build=cc2584028866967a39b096265d5b9af4516c734f
13:32:18 DBG completed rendering templatesRendered=0 errors=1 duration=84.088165ms
13:32:18 ERR err="renderTemplate: failed to render template <arg>: template: <arg>:1:3: executing \"<arg>\" at <ds \"foo\" \"goemplate\">: error calling ds: couldn't read datasource 'foo' (aws+sm:///goemplate): stat (url: \"aws+sm:///\", name: \"goemplate\"): stat goemplate: file does not exist"
Looking at my CloudTrail logs, I'm seeing this:
...
errorCode ResourceNotFoundException
errorMessage Secrets Manager can't find the specified secret.
eventCategory Management
eventID NNee72f2-f237-4467-81b4-fe0d81f8cNNN
eventName GetSecretValue
eventSource secretsmanager.amazonaws.com
eventTime 2024-07-23T13:23:37Z
eventType AwsApiCall
eventVersion 1.09
managementEvent 1
readOnly 1
requestParameters.secretId /goemplate
...
As you can see on that last line, a forward slash is being included at the start of the secretId when it shouldn't be. This also occurs if I specify, for instance, goemplate/something or goemplate/something/something.
Any assistance appreciated and thanks for a great tool.
I think this may a duplicate to #2180 - as a workaround, try setting the region?
It's not that unfortunately, the error message when I hadn't was very clear which was nice:
15:46:40 ERR err="renderTemplate: failed to render template one.txt.tmpl: template: one.txt.tmpl:1:32: executing \"one.txt.tmpl\" at <ds \"testsource\" \"/goemplate/awssm/test\">: error calling ds: couldn't read datasource 'testsource' (aws+sm:///goemplate/awssm/test): stat (url: \"aws+sm:///\", name: \"goemplate/awssm/test\"): stat test: getSecretValue: operation error Secrets Manager: GetSecretValue, failed to resolve service endpoint, endpoint rule error, Invalid Configuration: Missing Region"
Ah - this reminds me of some strangeness I had to deal with in the old v3 implementation. Looks like some of that got lost in the v4/go-fsimple shuffle.