Commit Graph

28 Commits

Author SHA1 Message Date
kbalk
eb5fdfa247
Techdebt: Replace sure with regular assertions in secretsmanager (#6616) 2023-08-08 10:08:15 +00:00
Bert Blommers
f54f4a666f
Techdebt: MyPy SecretsManager (#6244) 2023-04-22 15:39:48 +00:00
Hans Donner
18ec0c5467
Techdebt: skip tests when docker is not running (#6026) 2023-03-12 15:54:50 -01:00
Bryan Schrock
836a2e6538
Update get_secret_value to properly check versions and stages match (#5238) 2022-06-18 11:20:14 +00:00
Bert Blommers
29d01c35bc
Update Black + formatting (#4926) 2022-03-10 13:39:59 -01:00
MEP
7194456d0d
[LocalStack] Fixes to secretsmanager's PutSecretValue, CreateSecret, DeleteSecret (#4851) 2022-02-11 11:49:14 -01:00
Bert Blommers
14a69c7524
Techdebt: Enable pylint rules (#4432) 2021-10-18 19:44:29 +00:00
MarkBrook
663cd7a523
ISSUE-4340: SecretsManager cannot find specified secret using ARN in some operations (#4353) 2021-09-27 19:59:13 +00:00
Daniel Samuels
a4b1498665
Support rotating secrets using Lambda [#3905] (#3912)
* Support rotating secrets using Lambda

The Secrets manager rotation process uses an AWS Lambda function
to perform the rotation of a secret. [1]

In fact, it's not possible to trigger rotation of a Secret
without specifying a Lambda function at some point in the life
of the secret:

```
$ aws secretsmanager rotate-secret --secret-id /rotationTest

An error occurred (InvalidRequestException) when calling the RotateSecret operation: No Lambda rotation function ARN is associated with this secret.
```

`moto` can be a little more lenient in this regard and allow
`rotate_secret` to be called without a Lambda function being
present, if only to allow simulation of the `AWSCURRENT` and
`AWSPREVIOUS` labels moving across versions.

However, if a lambda function _has_ been specified when calling
`rotate_secret`, it should be invoked therefore providing the
developer with the full multi-stage process [3] which can be
used to test the Lambda function itself and ensuring that full
end-to-end testing is performed. Without this there's no easy
way to configure the Secret in the state needed to provide the
Lambda function with the data in the format it needs to be in
at each step of the invocation process.

[1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-lambda-function-overview.html
[2]: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/secretsmanager.html#SecretsManager.Client.rotate_secret
[3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-lambda-function-overview.html#rotation-explanation-of-steps

* Run `black` over `secretsmanager/models.py`

* Make `lambda_backends` import local to the condition

* Implement `update_secret_version_stage`

Allow a staging label to be moved across versions.

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/secretsmanager.html#SecretsManager.Client.update_secret_version_stage

* Add an integration test for Secrets Manager & Lambda

* Support passing `ClientRequestToken` to `put_secret_value`

By passing `ClientRequestToken` to `put_secret_value` within
the lambda function  invoked by calling `rotate_secret`, one
can update the value associated with the existing (pending)
version, without causing a new secret version to be created.

* Add application logic for `AWSPENDING`

The rotation function must end with the versions of the secret
in one of two states:

 - The `AWSPENDING` and `AWSCURRENT` staging labels are
   attached to the same version of the secret, or
 - The `AWSPENDING` staging label is not attached to any
   version of the secret.

If the `AWSPENDING` staging label is present but not attached
to the same version as `AWSCURRENT` then any later invocation
of RotateSecret assumes that a previous rotation request is
still in progress and returns an error.

* Update `default_version_id` after Lambda rotation concludes

Call `set_default_version_id` directly, rather than going 
through `reset_default_version` as the Lambda function is 
responsible for moving the version labels around, not `rotate_secret`.

* Run `black` over changed files

* Fix Python 2.7 compatibility

* Add additional test coverage for Secrets Manager

* Fix bug found by tests

AWSPENDING + AWSCURRENT check wasn't using `version_stages`.
Also tidy up the AWSCURRENT moving in `update_secret_version_stage`
to remove AWSPREVIOUS it from the new stage.

* Run `black` over changed files

* Add additional `rotate_secret` tests

* Skip `test_rotate_secret_lambda_invocations` in test server mode

* Add test for invalid Lambda ARN
2021-05-11 12:08:01 +01:00
usmangani1
53c3eb6240
Fix:SecretsManager :Error on Invalid secretID (#3413)
* Fix:SecretsManager :Error on Invalid secretID

* Fixed tests

Co-authored-by: usmankb <usman@krazybee.com>
2020-11-02 10:15:40 +00:00
mwas
625f28c882 adding get policy endpoint 2019-11-26 06:09:24 +03:00
Alexander Campbell
7e468287a0 Match AWS's change from smart-quote to ASCII quote 2019-11-12 10:05:11 +11:00
Asher Foa
96e5b1993d Run black on moto & test directories. 2019-10-31 10:36:05 -07:00
Alexander Campbell
6120a60263 Use escape sequence to express non-ASCII character 2019-10-18 10:17:49 +11:00
Alexander Campbell
9a54cea4f1 Work around python2 unicode exception str() issues 2019-10-16 14:44:41 +11:00
Alexander Campbell
d74f9e47c8 Add coding hint for python2 compatibility 2019-10-16 12:44:30 +11:00
Alexander Campbell
9d6a1ca81d Fix slightly incorrect message for some errors 2019-10-16 10:58:59 +11:00
Alexander Campbell
381e7b165f Raise appropriate error when secret exists but has no value 2019-10-16 10:55:03 +11:00
Justin Kieber-King
bbd7fefb37 Feature: Secrets Manager put_secret_value and list_secret_version_ids (#2116)
* initial work

- adding put_secret_value and list_secret_versions

* Added support for versions in all functions except rotate_secret

* more work

- refactor rotate_secret method
  - now, adds a new version of the secret and points default version id to it
- updated implementation coverage readme
- element in list check to fix unit test
- fixed linting errors
- added tests, fixed exception, failing tests still
- secrets_manager/test_server fails when running whole suite,
  but not when running that individual test file

* fixed failing test_get_secret_value

* Removed test.py. Fixed condition statement.

* fixed default stages + adding AWSPREVIOUS

* remove old AWSPREVIOUS stages
2019-05-22 10:45:22 +01:00
zane
b485122ec6 refactor to store multiple scrects, use uuid 2018-10-25 15:16:40 -07:00
Neil Roberts
6985f27167 Moto-1781: Add unit tests to verify that rotation is enabled.
- Add standalone unit test to verify that rotation is enabled and the
rotation interval is correct.
- Add server test to verify that rotation is enabled and the rotation
interval is correct. Commented out until nested dict error is sorted.
- Fix incorrectly asserted message strings.
2018-08-15 17:11:58 -07:00
Neil Roberts
71ed78141a Moto-1781: Implement server unit tests.
*** Includes 2 commented out tests that generate errors pointing deeper
in the code. ***
2018-08-15 11:32:54 -07:00
Neil Roberts
4ced0ce0db Opportunistic update to unit test for consistency. 2018-08-15 11:22:07 -07:00
Neil Roberts
b2c672a074 Issue 1753: add server test for mismatched secret 2018-08-13 12:53:22 -07:00
Neil Roberts
cce3a678aa Implement secretsmanager.DescribeSecret and tests. 2018-08-06 14:40:33 -07:00
Zane Williamson
ba1ceee95f Adding create_secret, exception handle, fix (#1680) 2018-07-14 08:39:19 +01:00
zane
b1a8ae8299 Updating tests 2018-06-09 23:42:33 -07:00
zane
c4abd98ed3 Adding server test for get_secret_value 2018-06-07 22:53:34 -07:00