MFTF AWS Secrets Manager - CI Use #554
Conversation
docs/credentials.md
Outdated
| #### Use AWS Secrets Manager from other AWS account | ||
|
|
||
| - AWS account ID where the AWS Secrets Manager service is hosted | ||
| - IAM User or Role with appropriate access permission |
There was a problem hiding this comment.
Maybe elaborate on what access permission is needed?
docs/credentials.md
Outdated
| ```conf | ||
| # Secret name for carriers_usps_userid | ||
| mftf/magento/carriers_usps_userid | ||
| `Secrets Value` in plaintext format can be any content you want to secure. `Secrets Value` in key/value pairs format, however, the `key` must be same as the `Secret Name` with `mftf/<VENDOR>/` part removed. |
There was a problem hiding this comment.
maybe reword to -
Secret Valuecan be stored in two different formats: plaintext (AWS CLI) or key/value pairs (AWS Console).
For plaintext format,Secret Valuecan be any string you want to secure.
For key/value pairs format,
Secret Valueis a key/value pair withkeysame as<YOUR/SECRET/KEY>ofSecret Nameandvaluecan be any string you want to secure.
docs/credentials.md
Outdated
|
|
||
| Full AWS KMS ([Key Management Service][]) key ARN ([Amazon Resource Name][]) is required when accessing secrets stored in other AWS account. | ||
| If this is the case, you will also need to set `CREDENTIAL_AWS_ACCOUNT_ID` environment variable so that MFTF can construct the full ARN. | ||
| This is also commonly used in CI system. |
There was a problem hiding this comment.
maybe remove this line since we have hyperlinks to KMS and ARN, if we need more information on them?
There was a problem hiding this comment.
I reword it a bit. I actual think this is indeed most used for CI/CD.
docs/credentials.md
Outdated
| @@ -186,6 +208,16 @@ CREDENTIAL_AWS_SECRETS_MANAGER_REGION=us-east-1 | |||
| CREDENTIAL_AWS_SECRETS_MANAGER_PROFILE=default | |||
| ``` | |||
|
|
|||
| ### Optionally set CREDENTIAL_AWS_ACCOUNT_ID environment variable | |||
|
|
|||
| Full AWS KMS ([Key Management Service][]) key ARN ([Amazon Resource Name][]) is required when accessing secrets stored in other AWS account. | |||
There was a problem hiding this comment.
other AWS account seems a little vague. Needs to be reworded to specify the type of account configuration.
etc/config/.env.example
Outdated
| @@ -37,8 +37,6 @@ BROWSER=chrome | |||
| #*** To use AWS Secrets Manager to manage _CREDS secrets, uncomment and set region, profile is optional, when omitted, AWS default credential provider chain will be used ***# | |||
| #CREDENTIAL_AWS_SECRETS_MANAGER_PROFILE=default | |||
| #CREDENTIAL_AWS_SECRETS_MANAGER_REGION=us-east-1 | |||
| #*** If using non-default AWS account ***# | |||
There was a problem hiding this comment.
rename to #*** For cross AWS account use ***#
docs/credentials.md
Outdated
| #### Use AWS Secrets Manager from your own AWS account | ||
|
|
||
| - AWS account with Secrets Manager service available | ||
| - IAM User or Role is created with appropriate AWS Secrets Manger access permission |
...FunctionalTestingFramework/DataGenerator/Handlers/SecretStorage/AwsSecretsManagerStorage.php
Show resolved
Hide resolved
|
Hi @dobooth, there are some dev doc change in this PR. Please take a look. Thanks! |
|
Code change in this ticket exposed an old problem in decryption. The fix is to show the calling function when things go wrong instead of hiding the underlying problem. |
|
@jilu1 I figured there was a good reason for changing the function 👍 |
Description
Fixed Issues (if relevant)
Contribution checklist