Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: failed to retrtive data from aws secret manager when the secret name contains a slash / #11647

Open
kayx23 opened this issue Oct 15, 2024 · 3 comments · May be fixed by #11655
Open

bug: failed to retrtive data from aws secret manager when the secret name contains a slash / #11647

kayx23 opened this issue Oct 15, 2024 · 3 comments · May be fixed by #11655
Labels
bug Something isn't working

Comments

@kayx23
Copy link
Member

kayx23 commented Oct 15, 2024
edited
Loading

Current Behavior

When configuring secrets in AWS, the suggestive text for secret name uses slashes, so that it could be quite common that users have slashes in their secret names.

img_v3_02fm_c169f4d3-98d5-482f-9285-0d608daa0c9g

Suppose the secret name is john/secret in AWS and the key of the credential is john-key-auth. In apisix, the secret is referenced by key-auth as such:

curl "http://127.0.0.1:9180/apisix/admin/consumers/john/credentials" -X PUT \
  -d '{
    "id": "cred-key-auth",
    "plugins": {
      "key-auth": {
        "key": "$secret://aws/1/john/secret/john-key-auth"
      }
    }
  }'

Suppose the key-auth is enabled on a route. When requesting this route, you would receive 401 from APISIX and see the below error in the error log:

failed to fetch secret value: failed to retrtive data from aws secret manager: invalid status code 400, {"Message":"Secrets Manager can't find the specified 
...
run_plugin(): key-auth exits with http status code 401, client: [192.168.65.1](http://192.168.65.1/), server: _, request: "GET /anything HTTP/1.1", host: "[127.0.0.1:9080](http://127.0.0.1:9080/)"

This is likely due to the slash in the secret name. There might be a parsing case to catch. From testing, it seems that a slash in the secret name leads to errors, but a slash in the key of the credential key-value pair does not.

Expected Behavior

APISIX to accommodate the situation where secret names contain slashes.

Environment

  • APISIX version (run apisix version): 3.11.0
@dosubot dosubot bot added the bug Something isn't working label Oct 15, 2024
@kayx23
Copy link
Member Author

kayx23 commented Oct 15, 2024

just fyi @HuanXin-Chen

@HuanXin-Chen
Copy link
Contributor

just fyi @HuanXin-Chen

Ok, I know what the problem is, it may take a little time to do a fix.

@HuanXin-Chen
Copy link
Contributor

@kayx23 Could you please help me test if GCP has a similar problem, I referred to a bit less test case at the time, thank you❤️

@HuanXin-Chen HuanXin-Chen linked a pull request Oct 15, 2024 that will close this issue
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Apache APISIX backlog
Status: 📋 Backlog
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(secret): support aws secret name contains a slash / HuanXin-Chen/apisix
2 participants
@kayx23 @HuanXin-Chen