mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 21:47:20 +00:00
e37aa6cf29
for #31321 # Details Small updates from [community PR](https://github.com/fleetdm/fleet/pull/31134): * Updated config vars to match [docs](https://github.com/fleetdm/fleet/blob/docs-v4.75.0/docs/Configuration/fleet-server-configuration.md#server_private_key_region) * Added support for specifying region in config (already documented) * Removed parsing of ARN for region * Made retry backoff intervals a bit longer # Checklist for submitter If some of the following don't apply, delete the relevant line. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. (already added in the community PR [here](https://github.com/fleetdm/fleet/blob/sgress454/updates-for-private-key-in-aws-sm/changes/private-key-secrets-manager#L0-L1) ## Testing - [X] Added/updated automated tests - [X] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - New Features - Added support for specifying the AWS region for server private key retrieval from AWS Secrets Manager via server.private_key_region. - Chores - Renamed configuration keys: - server.private_key_secret_arn → server.private_key_arn - server.private_key_secret_sts_assume_role_arn → server.private_key_sts_assume_role_arn - server.private_key_secret_sts_external_id → server.private_key_sts_external_id - Update your configuration to use the new keys. - Adjusted retry backoff for Secrets Manager retrieval to improve resilience. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
108 lines
3.7 KiB
Go
108 lines
3.7 KiB
Go
package config
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"math/rand"
|
|
"time"
|
|
|
|
aws_config "github.com/aws/aws-sdk-go-v2/config"
|
|
"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
|
|
"github.com/aws/aws-sdk-go-v2/service/secretsmanager/types"
|
|
"github.com/fleetdm/fleet/v4/server/aws_common"
|
|
)
|
|
|
|
// SecretsManagerClient interface for dependency injection and testing
|
|
type SecretsManagerClient interface {
|
|
GetSecretValue(ctx context.Context, params *secretsmanager.GetSecretValueInput,
|
|
optFns ...func(*secretsmanager.Options)) (*secretsmanager.GetSecretValueOutput, error)
|
|
}
|
|
|
|
// retrieveSecretWithRetry retrieves the secret from AWS with retry logic
|
|
func retrieveSecretWithRetry(ctx context.Context, client SecretsManagerClient, secretArn string) (string, error) {
|
|
const maxRetries = 3
|
|
var lastErr error
|
|
|
|
for attempt := 0; attempt < maxRetries; attempt++ {
|
|
if attempt > 0 {
|
|
// Exponential backoff with jitter: base 500ms with ±50% randomization
|
|
baseBackoff := time.Duration(500*(1<<uint(attempt-1))) * time.Millisecond // #nosec G115 - attempt is bounded by maxRetries
|
|
jitter := time.Duration(rand.Float64()*float64(baseBackoff)) - baseBackoff/2 // #nosec G404 - not security sensitive
|
|
backoff := baseBackoff + jitter
|
|
select {
|
|
case <-ctx.Done():
|
|
return "", ctx.Err()
|
|
case <-time.After(backoff):
|
|
}
|
|
}
|
|
|
|
input := &secretsmanager.GetSecretValueInput{
|
|
SecretId: &secretArn,
|
|
}
|
|
|
|
output, err := client.GetSecretValue(ctx, input)
|
|
if err != nil {
|
|
lastErr = err
|
|
|
|
// Don't retry certain errors
|
|
var notFoundErr *types.ResourceNotFoundException
|
|
var unauthorizedErr *types.InvalidRequestException
|
|
var invalidParamErr *types.InvalidParameterException
|
|
|
|
if errors.As(err, ¬FoundErr) {
|
|
return "", fmt.Errorf("secret not found: %s", secretArn)
|
|
}
|
|
if errors.As(err, &unauthorizedErr) {
|
|
return "", fmt.Errorf("access denied to secret: %s", secretArn)
|
|
}
|
|
if errors.As(err, &invalidParamErr) {
|
|
return "", fmt.Errorf("invalid secret ARN: %s", secretArn)
|
|
}
|
|
|
|
// Retry for other errors (network issues, throttling, etc.)
|
|
continue
|
|
}
|
|
|
|
// Extract secret value
|
|
if output.SecretString != nil {
|
|
return *output.SecretString, nil
|
|
}
|
|
|
|
if output.SecretBinary != nil {
|
|
return "", fmt.Errorf("secret %s contains binary data, expected string", secretArn)
|
|
}
|
|
|
|
return "", fmt.Errorf("secret %s contains no data", secretArn)
|
|
}
|
|
|
|
return "", fmt.Errorf("failed to retrieve secret after %d attempts: %w", maxRetries, lastErr)
|
|
}
|
|
|
|
// RetrieveSecretsManagerSecret retrieves a secret from AWS Secrets Manager
|
|
// with support for STS assume role authentication
|
|
func RetrieveSecretsManagerSecret(ctx context.Context, secretArn, region, assumeRoleArn, externalID string) (string, error) {
|
|
return RetrieveSecretsManagerSecretWithOptions(ctx, secretArn, region, assumeRoleArn, externalID)
|
|
}
|
|
|
|
// RetrieveSecretsManagerSecretWithOptions retrieves a secret from AWS Secrets Manager
|
|
// with custom AWS config options (useful for testing with LocalStack)
|
|
func RetrieveSecretsManagerSecretWithOptions(ctx context.Context, secretArn, region, assumeRoleArn, externalID string, opts ...func(*aws_config.LoadOptions) error) (string, error) {
|
|
configOpts := []func(*aws_config.LoadOptions) error{aws_config.WithRegion(region)}
|
|
configOpts = append(configOpts, opts...)
|
|
cfg, err := aws_config.LoadDefaultConfig(ctx, configOpts...)
|
|
if err != nil {
|
|
return "", fmt.Errorf("failed to load AWS config: %w", err)
|
|
}
|
|
|
|
if assumeRoleArn != "" {
|
|
cfg, err = aws_common.ConfigureAssumeRoleProvider(cfg, nil, assumeRoleArn, externalID)
|
|
if err != nil {
|
|
return "", fmt.Errorf("failed to configure assume role: %w", err)
|
|
}
|
|
}
|
|
|
|
client := secretsmanager.NewFromConfig(cfg)
|
|
|
|
return retrieveSecretWithRetry(ctx, client, secretArn)
|
|
}
|