Skip to content

aj/use secret region #604

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
astuyve merged 4 commits into from
Mar 11, 2025
Merged

aj/use secret region #604

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4167edc
feat: support x-region secrets
astuyve Mar 11, 2025
5cd57e6
feat: support x-region secrets manager secrets
astuyve Mar 11, 2025
d176557
fix: Push config into secrets_manager method as this only applies to …
astuyve Mar 11, 2025
66f3b7e
add comment
astuyve Mar 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 68 additions & 4 deletions bottlecap/src/secrets/decrypt.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ async fn decrypt_aws_kms(

let headers = build_get_secret_signed_headers(
aws_config,
aws_config.region.clone(),
RequestArgs {
service: "kms".to_string(),
body: json_body,
Expand All @@ -128,6 +129,7 @@ async fn decrypt_aws_kms(

let headers = build_get_secret_signed_headers(
aws_config,
aws_config.region.clone(),
RequestArgs {
service: "kms".to_string(),
body: json_body,
Expand All @@ -153,9 +155,15 @@ async fn decrypt_aws_sm(
aws_config: &AwsConfig,
) -> Result<String, Box<dyn std::error::Error>> {
let json_body = &serde_json::json!({ "SecretId": secret_arn});

// Supports cross-region secrets
let secret_region = secret_arn
.split(':')
.nth(3)
.unwrap_or(&aws_config.region)
.to_string();
let headers = build_get_secret_signed_headers(
aws_config,
secret_region,
RequestArgs {
service: "secretsmanager".to_string(),
body: json_body,
Expand Down Expand Up @@ -211,6 +219,7 @@ async fn request(

fn build_get_secret_signed_headers(
aws_config: &AwsConfig,
region: String,
header_values: RequestArgs,
) -> Result<HeaderMap, Box<dyn std::error::Error>> {
let amz_date = header_values.time.format("%Y%m%dT%H%M%SZ").to_string();
Expand All @@ -222,7 +231,7 @@ fn build_get_secret_signed_headers(
"amazonaws.com"
};

let host = format!("{}.{}.{}", header_values.service, aws_config.region, domain);
let host = format!("{}.{}.{}", header_values.service, region, domain);

let canonical_uri = "/";
let canonical_querystring = "";
Expand All @@ -240,7 +249,7 @@ fn build_get_secret_signed_headers(
let algorithm = "AWS4-HMAC-SHA256";
let credential_scope = format!(
"{}/{}/{}/aws4_request",
date_stamp, aws_config.region, header_values.service
date_stamp, region, header_values.service
);
let string_to_sign = format!(
"{}\n{}\n{}\n{}",
Expand All @@ -253,7 +262,7 @@ fn build_get_secret_signed_headers(
let signing_key = get_aws4_signature_key(
&aws_config.aws_secret_access_key,
&date_stamp,
aws_config.region.as_str(),
region.as_str(),
header_values.service.as_str(),
)?;

Expand Down Expand Up @@ -338,6 +347,7 @@ mod tests {
function_name: "arn:some-function".to_string(),
sandbox_init_time: Instant::now(),
},
"us-east-1".to_string(),
RequestArgs {
service: "secretsmanager".to_string(),
body: &serde_json::json!({ "SecretId": "arn:aws:secretsmanager:region:account-id:secret:secret-name"}),
Expand Down Expand Up @@ -373,4 +383,58 @@ mod tests {
assert_eq!(headers.get(k).expect("cannot get header"), v);
}
}

#[test]
#[allow(clippy::unwrap_used)]
fn test_cross_region_secret() {
let time = Utc.from_utc_datetime(
&NaiveDateTime::parse_from_str("2024-05-30 09:10:11", "%Y-%m-%d %H:%M:%S").unwrap(),
);
let headers = build_get_secret_signed_headers(
&AwsConfig{
region: "us-east-1".to_string(),
aws_access_key_id: "AKIDEXAMPLE".to_string(),
aws_secret_access_key: "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY".to_string(),
aws_session_token: "AQoDYXdzEJr...<remainder of session token>".to_string(),
aws_container_authorization_token: String::new(),
aws_container_credentials_full_uri: String::new(),
function_name: "arn:some-function".to_string(),
sandbox_init_time: Instant::now(),
},
"us-west-2".to_string(),
RequestArgs {
service: "secretsmanager".to_string(),
body: &serde_json::json!({ "SecretId": "arn:aws:secretsmanager:us-west-2:account-id:secret:secret-name"}),
time,
x_amz_target: "secretsmanager.GetSecretValue".to_string(),
},
).unwrap();

let mut expected_headers = HeaderMap::new();
expected_headers.insert("authorization", HeaderValue::from_str("AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20240530/us-west-2/secretsmanager/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=bd77112dd24d7a35566b29a39861f7421660c49b065964212f966db509e90813").unwrap());
expected_headers.insert(
"host",
HeaderValue::from_str("secretsmanager.us-west-2.amazonaws.com").unwrap(),
);
expected_headers.insert(
"content-type",
HeaderValue::from_str("application/x-amz-json-1.1").unwrap(),
);
expected_headers.insert(
"x-amz-date",
HeaderValue::from_str("20240530T091011Z").unwrap(),
);
expected_headers.insert(
"x-amz-target",
HeaderValue::from_str("secretsmanager.GetSecretValue").unwrap(),
);
expected_headers.insert(
"x-amz-security-token",
HeaderValue::from_str("AQoDYXdzEJr...<remainder of session token>").unwrap(),
);

for (k, v) in &expected_headers {
assert_eq!(headers.get(k).expect("cannot get header"), v);
}
}
}