Skip to content

fix(secrets): support binary Secrets Manager values#442

Merged
aparajon merged 2 commits into
mainfrom
aparajon/awssm-binary-secrets
Jun 19, 2026
Merged

fix(secrets): support binary Secrets Manager values#442
aparajon merged 2 commits into
mainfrom
aparajon/awssm-binary-secrets

Conversation

@aparajon

@aparajon aparajon commented Jun 19, 2026

Copy link
Copy Markdown
Collaborator

Why this matters

AWS Secrets Manager stores a value as either SecretString or SecretBinary. SchemaBot's two retrieval paths — the secretsmanager: reference resolver (pkg/secrets) and the awssm credential backend (pkg/awscreds) — both read only SecretString and rejected binary secrets with "binary secrets are not supported". A secret written via the binary API comes back as SecretBinary, so resolving such a secret (e.g. a DDL password stored as binary) failed at resolution time.

What it does

  • Adds secrets.ValueFromGetSecretOutput(resp, name) — prefers the string form, falls back to the binary bytes (which aws-sdk-go-v2 has already base64-decoded), and errors only when neither is set.
  • Routes both pkg/awscreds (getSecretValue) and secrets.Resolve through it, so the two paths behave consistently and can't drift. This removes the duplicated SecretString-only logic (and its identical limitation) from both.
  • Unit test covers string / binary / neither.

Behavior for string secrets is unchanged; binary secrets now resolve instead of erroring.

This PR was generated by Claude Code (claude-opus-4-8[1m]).

@aparajon @claude
fix(secrets): support binary Secrets Manager values
b484c0a 
AWS Secrets Manager stores a value as either SecretString or SecretBinary. Both
secret-retrieval paths — the secretsmanager: ref resolver (pkg/secrets) and the
awssm credential resolver (pkg/awscreds) — read only SecretString and rejected
binary secrets ("binary secrets are not supported"). A secret written via the
binary API comes back as SecretBinary, so resolving such a secret failed.

Add a shared secrets.ValueFromGetSecretOutput that prefers the string form and
falls back to the (already base64-decoded) binary bytes, and route both
pkg/awscreds and secrets.Resolve through it so the two paths behave consistently
and can't drift.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 19, 2026 21:32
Copilot AI reviewed Jun 19, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates SchemaBot’s AWS Secrets Manager integration so secrets stored as SecretBinary (not just SecretString) can be resolved consistently across both the generic secretsmanager: reference resolver (pkg/secrets) and the AWS credential backend (pkg/awscreds).

Changes:

  • Adds secrets.ValueFromGetSecretOutput to extract a secret value, preferring SecretString and falling back to SecretBinary.
  • Routes both pkg/secrets and pkg/awscreds through the shared helper to avoid drift and remove duplicated “string-only” logic.
  • Adds a unit test covering string / binary / neither cases.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
pkg/secrets/resolve.go Uses a shared helper to support SecretBinary when resolving secretsmanager: references.
pkg/secrets/resolve_test.go Adds unit coverage for the new helper’s string/binary/error behavior.
pkg/awscreds/awscreds.go Switches Secrets Manager fetching to the shared helper so binary secrets work in the credentials backend too.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/secrets/resolve.go Outdated
Comment thread pkg/awscreds/awscreds.go
Comment thread pkg/secrets/resolve_test.go
@aparajon @claude
fix(secrets): address review — non-nil check + secret name in error
e495666 
- ValueFromGetSecretOutput tests SecretBinary with non-nil, not length, so an
  intentionally empty binary value round-trips as "" consistently with the
  string form (covered by a new test case).
- Name the secret in the awscreds get-secret error for triage parity with the
  secretsmanager: resolver.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@aparajon aparajon force-pushed the aparajon/awssm-binary-secrets branch from d5df714 to e495666 Compare June 19, 2026 21:40
@aparajon aparajon marked this pull request as ready for review June 19, 2026 21:42
@aparajon aparajon requested review from Kiran01bm and morgo as code owners June 19, 2026 21:42
@aparajon aparajon merged commit 202bf52 into main Jun 19, 2026
30 checks passed
@aparajon aparajon deleted the aparajon/awssm-binary-secrets branch June 19, 2026 21:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@morgo morgo morgo approved these changes

@Kiran01bm Kiran01bm Awaiting requested review from Kiran01bm Kiran01bm is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aparajon @morgo