AWS Secrets Manager Bearer Token Value Parsing about opa-aws-cloudformation-hook HOT 5 CLOSED

Hi Jimmy! The SecretString is expected to be the token itself, not presented as a key/value JSON object. I tried to express this in the docs:

Note that the token should be provided as a plain string in the secret (i.e. the SecretString) and not wrapped in a JSON object.

But perhaps it could be phrased better? 🤔

from opa-aws-cloudformation-hook.

So, maybe I am doing something wrong, but I don't see how you can enter just a value. It requires a key as well. When you retrieve the SecretString, it is a K/V pair, in a string. You can enter just a key with no value, but it still returns a K/V string, just with an empty value position.

Also, your hook config schema refers to the opaAuthTokenSecret key being set to opa_auth_token.

{"opaAuthTokenSecret":{"description":"ARN referencing a secret containing a token to use for authenticating against OPA (secret key must be 'opa_auth_token')","type":"string"},

from opa-aws-cloudformation-hook.

So, if you use the plain-text, and not the key/value fields then it should work, for a value with no key. In the AWS CLI, it would be:

aws secretsmanager create-secret --name opa_auth_otken --secret-string "<VALUE>"

I guess the secret key must be 'opa_auth_token') confused me.

Perhaps it should be referenced as "Secret Name", instead.

from opa-aws-cloudformation-hook.

Ah, yes, that's probably from an older iteration! Thanks for pointing that out 👍 Do you want to submit a PR to remove that or should I?

from opa-aws-cloudformation-hook.

Fixed in #42. Thanks @pauly4it 👍

from opa-aws-cloudformation-hook.