feat(aws): use region if path is full arn

argoproj-labs · Apr 1, 2023 · 6d7ed93 · 6d7ed93
1 parent ddbd42b
commit 6d7ed93
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/docs/backends.md b/docs/backends.md
@@ -243,6 +243,10 @@ documentation](https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/#specify
 supplying AWS credentials. Supported credentials and the order in which they are loaded are
 described [here](https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/#specifying-credentials).
 
+**Note About Region**
+If you provide the full AWS ARN as the secret path, ex. `arn:aws:secretsmanager:us-east-1:123123123:secret:some-secret`, 
+the region from the ARN (us-east-1) in this example, will take precedents over the AWS_REGION environment variable listed below. 
+
 These are the parameters for AWS:
 ```
 AVP_TYPE: awssecretsmanager

diff --git a/pkg/backends/awssecretsmanager.go b/pkg/backends/awssecretsmanager.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"regexp"
 
 	"github.com/argoproj-labs/argocd-vault-plugin/pkg/utils"
 	"github.com/aws/aws-sdk-go-v2/aws"
@@ -40,10 +41,21 @@ func (a *AWSSecretsManager) Login() error {
 
 // GetSecrets gets secrets from aws secrets manager and returns the formatted data
 func (a *AWSSecretsManager) GetSecrets(path string, version string, annotations map[string]string) (map[string]interface{}, error) {
+	var opts = func(o *secretsmanager.Options) {}
+
 	input := &secretsmanager.GetSecretValueInput{
 		SecretId: aws.String(path),
 	}
 
+	re := regexp.MustCompile(`(?m)^(?:[^:]+:){3}([^:]+).*`)
+	if re.MatchString(path) {
+		parts := re.FindStringSubmatch(path)
+
+		opts = func(o *secretsmanager.Options) {
+			o.Region = parts[1]
+		}
+	}
+
 	if version != "" {
 		if version == AWS_CURRENT || version == AWS_PREVIOUS {
 			input.VersionStage = aws.String(version)
@@ -53,7 +65,7 @@ func (a *AWSSecretsManager) GetSecrets(path string, version string, annotations
 	}
 
 	utils.VerboseToStdErr("AWS Secrets Manager getting secret %s at version %s", path, version)
-	result, err := a.Client.GetSecretValue(context.TODO(), input)
+	result, err := a.Client.GetSecretValue(context.TODO(), input, opts)
 	if err != nil {
 		return nil, err
 	}