Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- package awsssm
- import (
- "fmt"
- "os"
- "regexp"
- "strconv"
- "strings"
- "github.com/aws/aws-sdk-go/aws"
- "github.com/aws/aws-sdk-go/aws/awserr"
- "github.com/aws/aws-sdk-go/service/ssm"
- "github.com/aws/aws-sdk-go/service/ssm/ssmiface"
- )
- const (
- // DefaultKeyID is the default alias for the KMS key used to encrypt/decrypt secrets
- DefaultKeyID = "alias/parameter_store_key"
- )
- // validPathKeyFormat is the format that is expected for key names inside parameter store
- // when using paths
- var validPathKeyFormat = regexp.MustCompile(`^(\/[\w\-\.]+)+$`)
- // validKeyFormat is the format that is expected for key names inside parameter store when
- // not using paths
- var validKeyFormat = regexp.MustCompile(`^[\w\-\.]+$`)
- // ensure SSMStore confirms to Store interface
- var _ Store = &SSMStore{}
- // SSMStore implements the Store interface for storing secrets in SSM Parameter
- // Store
- type SSMStore struct {
- svc ssmiface.SSMAPI
- usePaths bool
- }
- // ListRaw lists all secrets keys and values for a given service. Does not include any
- // other meta-data. Uses faster AWS APIs with much higher rate-limits. Suitable for
- // use in production environments.
- func (s *SSMStore) ListRaw(service string) ([]RawSecret, error) {
- if s.usePaths {
- secrets := map[string]RawSecret{}
- getParametersByPathInput := &ssm.GetParametersByPathInput{
- Path: aws.String("/" + service + "/"),
- WithDecryption: aws.Bool(true),
- }
- err := s.svc.GetParametersByPathPages(getParametersByPathInput, func(resp *ssm.GetParametersByPathOutput, lastPage bool) bool {
- for _, param := range resp.Parameters {
- if !s.validateName(*param.Name) {
- continue
- }
- secrets[*param.Name] = RawSecret{
- Value: *param.Value,
- Key: *param.Name,
- }
- }
- return true
- })
- if err != nil {
- // If the error is an access-denied exception
- awsErr, isAwserr := err.(awserr.Error)
- if isAwserr {
- if awsErr.Code() == "AccessDeniedException" && strings.Contains(awsErr.Message(), "is not authorized to perform: ssm:GetParametersByPath on resource") {
- // Fall-back to using the old list method in case some users haven't updated their IAM permissions yet, but warn about it and
- // tell them to fix their permissions
- fmt.Fprintf(
- os.Stderr,
- "Warning: %s\nFalling-back to using ssm:DescribeParameters. This may cause delays or failures due to AWS rate-limiting.\n"+
- "This is behavior deprecated and will be removed in a future version of chamber. Please update your IAM permissions to grant ssm:GetParametersByPath.\n\n",
- awsErr)
- // Delegate to List
- return s.listRawViaList(service)
- }
- }
- return nil, err
- }
- rawSecrets := make([]RawSecret, len(secrets))
- i := 0
- for _, rawSecret := range secrets {
- rawSecrets[i] = rawSecret
- i += 1
- }
- return rawSecrets, nil
- }
- // Delete to List (which uses the DescribeParameters API)
- return s.listRawViaList(service)
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement