apiclient: add support for secretsmanager:// URIs

Anish Cheraku · Anish Cheraku · commit ed78c9803a7c · 2025-08-01T22:35:48.000Z
diff --git a/sources/Cargo.lock b/sources/Cargo.lock
diff --git a/sources/Cargo.toml b/sources/Cargo.toml
@@ -115,6 +115,7 @@ aws-sdk-cloudformation = "1"
 aws-sdk-ec2 = "1"
 aws-sdk-eks = "1"
 aws-sdk-s3 = "1"
+aws-sdk-secretsmanager = "1"
 aws-smithy-runtime = "1"
 aws-smithy-runtime-api = "1"
 aws-smithy-types = "1"
diff --git a/sources/api/apiclient/Cargo.toml b/sources/api/apiclient/Cargo.toml
@@ -15,11 +15,12 @@ tls = ["dep:rustls", "dep:aws-lc-rs", "reqwest/rustls-tls-native-roots"]
 fips = ["tls", "aws-lc-rs/fips", "rustls/fips"]
 
 [dependencies]
-async-trait = "0.1"
+async-trait.workspace = true
 aws-smithy-types.workspace = true
 aws-config.workspace = true
 aws-lc-rs = { workspace = true, optional = true, features = ["bindgen"] }
-aws-sdk-s3.workspace = true 
+aws-sdk-s3.workspace = true
+aws-sdk-secretsmanager.workspace = true
 base64.workspace = true
 constants.workspace = true
 datastore.workspace = true
diff --git a/sources/api/apiclient/src/apply.rs b/sources/api/apiclient/src/apply.rs
@@ -1,9 +1,10 @@
 //! This module allows application of settings from URIs or stdin.  The inputs are expected to be
 //! TOML settings files, in the same format as user data, or the JSON equivalent.  The inputs are
 //! pulled and applied to the API server in a single transaction.
-
-use aws_sdk_s3::Client;
-use crate::uri_resolver::{StdinUri, FileUri, HttpUri, S3Uri, UriResolver};
+//! use aws_smithy_runtime_api::client::result::SdkError;
+use aws_sdk_secretsmanager::operation::get_secret_value::GetSecretValueError;
+use aws_sdk_secretsmanager::config::http::HttpResponse as SdkHttpResponse;
+use crate::uri_resolver::{StdinUri, FileUri, HttpUri, S3Uri, UriResolver, SecretsManagerUri};
 use crate::rando;
 use futures::future::{join, ready, TryFutureExt};
 use futures::stream::{self, StreamExt};
@@ -83,11 +84,16 @@ fn select_resolver(input: &str) -> Result<Box<dyn UriResolver>> {
         return Ok(Box::new(r));
     }
 
+    // 6) secretsmanager://
+    if let Ok(r) = SecretsManagerUri::try_from(input) {
+        return Ok(Box::new(r));
+    }
+
     // 2) parse as a URL
     let url = Url::parse(input).context(error::UriSnafu { input_source: input.to_string() })?;
 
     // 3) file://
-    if let Ok(r) = FileUri::try_from(url.clone()) {
+    if let Ok(r) = FileUri::try_from(&url) {
         return Ok(Box::new(r));
     }
 
@@ -97,11 +103,11 @@ fn select_resolver(input: &str) -> Result<Box<dyn UriResolver>> {
     }
 
     // 5) s3://
-    if let Ok(r) = S3Uri::try_from(url) {
+    if let Ok(r) = S3Uri::try_from(url.clone()) {
         return Ok(Box::new(r));
     }
 
-    NoResolverSnafu {
+    error::NoResolverSnafu {
         input_source: input.to_string(),
     }
     .fail()
@@ -141,10 +147,12 @@ fn format_change(input: &str, input_source: &str) -> Result<String> {
 }
 
 pub(crate) mod error {
+    use aws_sdk_secretsmanager::operation::get_secret_value::GetSecretValueError;
     use snafu::Snafu;
 
     #[derive(Debug, Snafu)]
     #[snafu(visibility(pub(crate)))]
+
     pub enum Error {
         #[snafu(display("Failed to commit combined settings to '{}': {}", uri, source))]
         CommitApply {
@@ -234,6 +242,18 @@ pub(crate) mod error {
         #[snafu(display("Invalid S3 URI scheme for '{}', expected s3://", input_source))]
         S3UriScheme { input_source: String },
 
+        #[snafu(display("Invalid Secrets Manager URI scheme for '{}', expected secretsmanager://", input_source))]
+        SecretsManagerUri { input_source: String },
+
+        #[snafu(display("Failed to fetch secret '{}' from Secrets Manager: {}", secret_id, source))]
+        SecretsManagerGet {
+            secret_id: String,
+            source: aws_sdk_secretsmanager::error::SdkError<GetSecretValueError>,
+        },
+
+        #[snafu(display("Secrets Manager secret '{}' did not return a string value", secret_id))]
+        SecretsManagerStringMissing { secret_id: String },
+
         #[snafu(display(
             "Failed to translate TOML from '{}' to JSON for API: {}",
             input_source,
diff --git a/sources/api/apiclient/src/uri_resolver.rs b/sources/api/apiclient/src/uri_resolver.rs
@@ -1,6 +1,8 @@
 // src/uri_resolver.rs
 
 use async_trait::async_trait;
+use aws_sdk_secretsmanager as sm; 
+use aws_config;
 use snafu::{ensure, ResultExt, OptionExt};
 use std::convert::TryFrom;
 use std::path::PathBuf;
@@ -9,7 +11,7 @@ use tokio::io::AsyncReadExt;
 use reqwest::Url;
 use crate::apply::{Error, Result};
 use crate::apply::error::{
-    FileReadSnafu, FileUriSnafu, ReqwestSnafu, StdinReadSnafu, S3UriMissingBucketSnafu, InvalidFileUriSnafu, InvalidHTTPUriSnafu, S3UriSchemeSnafu
+    FileReadSnafu, FileUriSnafu, ReqwestSnafu, StdinReadSnafu, S3UriMissingBucketSnafu, InvalidFileUriSnafu, InvalidHTTPUriSnafu, S3UriSchemeSnafu, SecretsManagerUriSnafu, SecretsManagerGetSnafu, SecretsManagerStringMissingSnafu,
 };
 
 /// Anything that can fetch itself as a UTF-8 `String`.
@@ -51,10 +53,10 @@ pub struct FileUri {
     path: PathBuf,
 }
 
-impl TryFrom<Url> for FileUri {
+impl TryFrom<&Url> for FileUri {
     type Error = Error;
 
-    fn try_from(url: Url) -> std::result::Result<Self, Self::Error> {
+    fn try_from(url: &Url) -> std::result::Result<Self, Self::Error> {
         // only accept file://
         ensure!(
             url.scheme() == "file",
@@ -133,6 +135,7 @@ impl TryFrom<Url> for S3Uri {
     type Error = Error;
 
     fn try_from(url: Url) -> std::result::Result<Self, Self::Error> {
+        log::error!("tryfromS3");
         ensure!(
             url.scheme() == "s3",
             S3UriSchemeSnafu { input_source: url.to_string() }
@@ -157,3 +160,49 @@ impl UriResolver for S3Uri {
     }
 }
 
+/// secretsmanager://<secret_id>
+pub struct SecretsManagerUri {
+    secret_id: String,
+}
+
+impl TryFrom<&str> for SecretsManagerUri {
+    type Error = Error;
+
+    fn try_from(s: &str) -> std::result::Result<Self, Self::Error> {
+        const PREFIX: &str = "secretsmanager://";
+        if let Some(id) = s.strip_prefix(PREFIX) {
+            if id.is_empty() {
+                return Err(Error::SecretsManagerUri { input_source: s.to_string() });
+            }
+            return Ok(SecretsManagerUri { secret_id: id.to_string() });
+        }
+        Err(Error::SecretsManagerUri { input_source: s.to_string() })
+    }
+}
+
+#[async_trait]
+impl UriResolver for SecretsManagerUri {
+    async fn resolve(&self) -> Result<String> {
+        use aws_config::{self, BehaviorVersion, Region};
+        use aws_sdk_secretsmanager;
+
+        // 1) load AWS config (region/account via env)
+        let cfg = aws_config::load_from_env().await;
+        let client = aws_sdk_secretsmanager::Client::new(&cfg);
+
+        // 2) fetch the secret, propagating any SdkError into SecretsManagerGet
+        let resp = client
+            .get_secret_value()
+            .secret_id(self.secret_id.clone())
+            .send()
+            .await
+            .context(SecretsManagerGetSnafu { secret_id: self.secret_id.clone() })?;
+
+        // 3) extract the string payload, or error if it was missing
+        resp.secret_string()
+            .map(str::to_string)
+            .context(SecretsManagerStringMissingSnafu { secret_id: self.secret_id.clone() })
+    }
+}
+
+
