Last active
June 17, 2022 17:02
-
-
Save bsch150/340ba9e0bef66f3b38b34fa02a89ce86 to your computer and use it in GitHub Desktop.
AWS secretsmanager: Show behavior of version stages
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# This script is a demonstration of accurate AWS cli behavior when fetching secrets with stages and version IDs. | |
SECRET_NAME="test-secret-delete-me" | |
AWS_PROFILE="some-aws-profile" | |
FIRST_VALUE="first_secret_value" | |
SECOND_VALUE="second_secret_value" | |
# create the secret | |
aws --profile consumption-dev-swat-admin \ | |
secretsmanager create-secret \ | |
--name ${SECRET_NAME} | |
# Put the first secret value as AWSCURRENT | |
first_put_response=$(aws --profile ${AWS_PROFILE} \ | |
secretsmanager put-secret-value \ | |
--secret-id ${SECRET_NAME} \ | |
--secret-string ${FIRST_VALUE} \ | |
--version-stages AWSCURRENT) | |
first_version=$(echo ${first_put_response} | jq -r .VersionId) | |
# This works fine | |
echo "Fetching version-id ${first_version} and stage 'AWSCURRENT'" | |
first_response=$(aws --profile ${AWS_PROFILE} \ | |
secretsmanager get-secret-value \ | |
--secret-id ${SECRET_NAME} \ | |
--version-stage AWSCURRENT \ | |
--version-id "${first_version}") | |
# Put the second value as AWSCURRENT | |
second_put_response=$(aws --profile ${AWS_PROFILE} \ | |
secretsmanager put-secret-value \ | |
--secret-id ${SECRET_NAME} \ | |
--secret-string ${SECOND_VALUE} \ | |
--version-stages "AWSCURRENT") | |
second_version=$(echo ${second_put_response} | jq -r .VersionId) | |
# Fetching new version with AWSCURRENT works fine | |
echo "Fetching version-id ${second_version} and stage 'AWSCURRENT'" | |
second_response=$(aws --profile ${AWS_PROFILE} \ | |
secretsmanager get-secret-value \ | |
--secret-id ${SECRET_NAME} \ | |
--version-stage "AWSCURRENT" \ | |
--version-id ${second_version}) | |
# The first secret version is no longer AWSCURRENT. This breaks. | |
echo "Attempting to fetch version-id ${first_version} and stage 'AWSCURRENT'" | |
third_response=$(aws --profile ${AWS_PROFILE} \ | |
secretsmanager get-secret-value \ | |
--secret-id ${SECRET_NAME} \ | |
--version-stage "AWSCURRENT" \ | |
--version-id ${first_version}) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment