FR: Read just specified keys

Have you thought about playing with the secrets visible to the IAM role used by the application?

The library would only enumerate through the keys visible to your application.

I had a similar requirement. In terms of permissions, the extension requires kms:Decrypt, kms:Encrypto, secretsmanager:ListSecrets and secretsmanager:GetSecretValue.

If anyone is in a similar boat and can alter the IAM Policy attached to the role/user/group then something like the following works:

{ “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “”, “Effect”: “Allow”, “Action”: [ “kms:Decrypt”, “kms:Encrypt”, “secretsmanager:ListSecrets” ], “Resource”: “*” }, { “Sid”: “”, “Effect”: “Allow”, “Action”: “secretsmanager:GetSecretValue”, “Resource”: “list urn for the secret you want to allow here” } ] }

You can’t specify individual Urns for ListSecrets, but can for GetSecretValue and so it’s possible to restrict access in this way. Then, depending on the environment, you can specify the urn’s to be allowed for that environment and then use the SecretFilter functionality so that GetSecretValue is only called on the whitelisted urn’s e.g:

                    var accepted_urns = GetAcceptedUrns(hostingContext.HostingEnvironment.EnvironmentName);
                    config.AddSecretsManager(configurator: options =>
                    {
                        options.SecretFilter = entry => accepted_urns.Contains(entry.ARN);
                   }

This approach does mean that the application sees the urn of all secret keys with the LIstSecrets functionality, but is only able to retreive the secret keys that relate to the environment the user has access to.

I don’t have an ETA to be frank. I am between jobs right now so you can understand it’s hard for me to find the time for this.

As for every open source project, contributions from the user base are always welcome, even if just to create a PoC.