diff --git a/template/interpolate/aws/secretsmanager/secretsmanager.go b/template/interpolate/aws/secretsmanager/secretsmanager.go index b0ce5dfb3..9cdcd4ed3 100644 --- a/template/interpolate/aws/secretsmanager/secretsmanager.go +++ b/template/interpolate/aws/secretsmanager/secretsmanager.go @@ -75,9 +75,13 @@ func (c *Client) GetSecret(spec *SecretSpec) (string, error) { func getSecretValue(s *SecretString, spec *SecretSpec) (string, error) { var secretValue map[string]string - blob := []byte(s.SecretString) + //For those plaintext secrets just return the value + if json.Valid(blob) != true { + return s.SecretString, nil + } + err := json.Unmarshal(blob, &secretValue) if err != nil { return "", err diff --git a/template/interpolate/aws/secretsmanager/secretsmanager_test.go b/template/interpolate/aws/secretsmanager/secretsmanager_test.go index 32905b075..31cb3e085 100644 --- a/template/interpolate/aws/secretsmanager/secretsmanager_test.go +++ b/template/interpolate/aws/secretsmanager/secretsmanager_test.go @@ -106,6 +106,18 @@ func TestGetSecret(t *testing.T) { mock: secretsmanager.GetSecretValueOutput{}, ok: false, }, + { + description: "input has secret stored as plaintext", + arg: &SecretSpec{ + Name: "test", + }, + mock: secretsmanager.GetSecretValueOutput{ + Name: aws.String("test"), + SecretString: aws.String("ThisIsThePassword"), + }, + want: "ThisIsThePassword", + ok: true, + }, } for _, test := range testCases { diff --git a/website/pages/docs/templates/user-variables.mdx b/website/pages/docs/templates/user-variables.mdx index f58ccf6c4..e4b375c7e 100644 --- a/website/pages/docs/templates/user-variables.mdx +++ b/website/pages/docs/templates/user-variables.mdx @@ -191,10 +191,25 @@ and detailed documentation for usage of each of those variables can be found ## AWS Secrets Manager Variables Secrets can be read from [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) -and used within your template as user variables. the `aws_secretsmanager` function is +and used within your template as user variables. The `aws_secretsmanager` function is available _only_ within the default value of a user variable, allowing you to default a user variable to an AWS Secrets Manager secret. + +### Plaintext Secrets +```json +{ + "variables": { + "password": "{{ aws_secretsmanager `globalpassword` }}" + } +} +``` + +In the example above it is assumed that the secret `globalpassword` is not + stored as a key pair but as a single non-JSON string value. Which the + `aws_secretsmanager` function will return as a raw string. + +### Single Key Secrets ```json { "variables": { @@ -203,8 +218,11 @@ a user variable to an AWS Secrets Manager secret. } ``` -In the example above it is assumed that only one key is stored in `sample/app/password` if there are multiple keys stored in it then you need to indicate the specific key you want to fetch as shown below. +In the example above it is assumed that only one key is stored in + `sample/app/password` if there are multiple keys stored in it then you need + to indicate the specific key you want to fetch as shown below. +### Multiple Key Secrets ```json { "variables": {