Fix

lukaszcl · lukaszcl · commit 807cf961824d · 2025-01-15T10:58:43.000+01:00
diff --git a/tools/ghsecrets/main.go b/tools/ghsecrets/main.go
@@ -50,16 +50,16 @@ func main() {
 				}
 			}
 
-			// Ensure secretID starts with "testsecrets/"
-			secretID = ensurePrefix(secretID, "testsecrets/")
-
 			switch strings.ToLower(backend) {
 			case "github":
 				if err := setGitHubSecret(filePath, secretID); err != nil {
 					exitWithError(err, "Failed to set GitHub secret")
 					return
 				}
 			case "aws":
+				// Ensure AWS secretID starts with "testsecrets/" prefix
+				// GHA IAM role has a policy that restricts access to secrets with this prefix
+				secretID = ensurePrefix(secretID, "testsecrets/")
 				if err := setAWSSecret(filePath, secretID, sharedWith); err != nil {
 					exitWithError(err, "Failed to set AWS secret")
 					return

Original file line number	Diff line number	Diff line change
`@@ -50,16 +50,16 @@ func main() {`
`50`	`50`	`}`
`51`	`51`	`}`
`52`	`52`
`53`		`- // Ensure secretID starts with "testsecrets/"`
`54`		`- secretID = ensurePrefix(secretID, "testsecrets/")`
`55`		`-`
`56`	`53`	`switch strings.ToLower(backend) {`
`57`	`54`	`case "github":`
`58`	`55`	`if err := setGitHubSecret(filePath, secretID); err != nil {`
`59`	`56`	`exitWithError(err, "Failed to set GitHub secret")`
`60`	`57`	`return`
`61`	`58`	`}`
`62`	`59`	`case "aws":`
	`60`	`+ // Ensure AWS secretID starts with "testsecrets/" prefix`
	`61`	`+ // GHA IAM role has a policy that restricts access to secrets with this prefix`
	`62`	`+ secretID = ensurePrefix(secretID, "testsecrets/")`
`63`	`63`	`if err := setAWSSecret(filePath, secretID, sharedWith); err != nil {`
`64`	`64`	`exitWithError(err, "Failed to set AWS secret")`
`65`	`65`	`return`