aws-cli icon indicating copy to clipboard operation
aws-cli copied to clipboard
verified publisher icon aws

Alphabets in secret version id are converted UPPER_CASE only when `--output text` is specified

Open goldeneggg opened this issue 3 years ago • 5 comments

Describe the bug

I can't understand if this behavior is a bug or a spec so please let me know 🙏

When I ran the aws secretsmanager list-secrets or aws secretsmanager describe-secret command with --output text option, all the alphabets contained in the version id are converted to UPPER_CASE.

aws secretsmanager list-secrets --query 'SecretList[*].SecretVersionsToStages' --output text

0123ABCD-XXX1-XXX2-XXX3-XXXXXX444444    AWSPREVIOUS
1234EFGH-XXX1-XXX2-XXX3-XXXXXX444444    AWSCURRENT

Other than text (e.g. json, yaml and others), I can get the expected id with lower_case alphabets.

aws secretsmanager list-secrets --query 'SecretList[*].SecretVersionsToStages' --output json

    {
        "0123abcd-xxx1-xxx2-xxx3-xxxxxx444444": [
            "AWSPREVIOUS"
        ],
        "1234efgh-xxx1-xxx2-xxx3-xxxxxx444444": [
            "AWSCURRENT"
        ]
    }

Expected Behavior

All alphabets in version id are lower_case with --output text option (like --output json option).

Current Behavior

All alphabets in version id are UPPER_CASE with --output text option.

Reproduction Steps

  1. Run aws secretsmanager list-secrets --query 'SecretList[*].SecretVersionsToStages' --output json
    • all alphabets in version id are lower_case
  2. Run aws secretsmanager list-secrets --query 'SecretList[*].SecretVersionsToStages' --output text
    • all alphabets in version id are UPPER_CASE (is current unexpected behavior)
  3. I can get the same result by running describe-secret instead of list-secrets

Possible Solution

No response

Additional Information/Context

No response

CLI version used

aws-cli/2.7.17 Python/3.10.5 Darwin/21.5.0 source/x86_64 prompt/off

Environment details (OS name and version, etc.)

OS X Monterey 12.4 (Intel Mac)

goldeneggg avatar Jul 27 '22 03:07 goldeneggg

Hi @goldeneggg thanks for reaching out. In terms of the values you're referring to (AWSPREVIOUS, AWSCURRENT), I believe that those are supposed to be uppercase as per the Secrets Manager documentation: https://docs.aws.amazon.com/secretsmanager/latest/userguide/getting-started.html.

tim-finnigan avatar Jul 28 '22 22:07 tim-finnigan

@tim-finnigan

Thank you for your response.

I reported about the version id in UUID format. (not the string "AWSPREVIOUS" or "AWSCURRENT").

For example, as mentioned in the description, if the version id is registered as 0123abcd-xxx1-xxx2-xxx3-xxxxxxxx444444, then

  • If --output json is specified, 0123abcd-xxx1-xxx2-xxx3-xxxxxx444444 will be returned. (--output yaml option is same result too.)
  • If --output text is specified, 0123ABCD-XXX1-XXX2-XXX3-XXXXXX444444 is returned (all letters are converted to upper case).

I expect the version id to be returned in lower case even if I specify --output text.

goldeneggg avatar Jul 29 '22 00:07 goldeneggg

Hi @goldeneggg thanks for clarifying that, I see what you're saying now. It seems to be the default behavior that identifiers in text output are always uppercase as shown here in the User Guide.

That SecretVersionsToStages pattern seems unlike other APIs in that the keys are unique values. But that's just part of the ResponseSyntax for ListSecrets so I'm not sure if there's anything the CLI can change regarding this. If you have jq installed you could use something like this as workaround to get the ids in lowercase:

aws secretsmanager list-secrets --query 'SecretList[*].SecretVersionsToStages' --output json | jq '.[]' | jq 'keys'

tim-finnigan avatar Aug 03 '22 13:08 tim-finnigan

@tim-finnigan Thanks for your reply. I've understood your suggestion.

On the other hand, the --version-id option of the aws secretsmanager get-secret-value command strictly determines the case of the version_id. For example, if there is a version_id of 1234abcd-xxxx-999999-rrrrrr-22222222ddddddd, then

  • The aws secretsmanager get-secret-value --secret-id dummy-secret --version-id 1234abcd-xxxx-999999-rrrrrr-22222222ddddddddddd(lower case version_id) command will succeed.
  • The aws secretsmanager get-secret-value --secret-id dummy-secret --version-id 1234ABCD-XXXX-9999-RRRRRR-222222DDDDDD(UPPER CASE version_id) command will return "An error occurred ( ResourceNotFoundException)".

A possible scenario is as follows

  1. I get 1234ABCD-XXXX-9999-RRRRRR-222222DDDDDD with the --output text option (but the actual registered version_id is 1234abcd-xxxx-999999-rrrrrr-22222222ddddddd(lower case)).
  2. And I run aws secretsmanager get-secret-value --secret-name dummy-secret --version-id 1234ABCD-XXXX-9999-RRRRRR-222222DDDDDD
  3. Above command will fail by the "An error occurred ( ResourceNotFoundException)" error because registered version_id is 1234abcd-xxxx-999999-rrrrrr-22222222ddddddd(lower case).

In my personal opinion, I thought it would be better to unify either upper or lower case letters, or to not strictly distinguish between upper and lower case letters.

Please see also https://www.uuidtools.com/what-is-uuid#case-sensitive and https://github.com/ramsey/uuid/issues/131

goldeneggg avatar Aug 08 '22 13:08 goldeneggg

Thanks @goldeneggg for the feedback. I see what you're saying, but any changes involving service API functionality would have to come from that team. I think it's unlikely that the Secrets Manager team would consider changing the version ID to be case insensitive, but I suggest reaching out to that team through the recommended channels here: https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html#support-and-feedback.

tim-finnigan avatar Aug 16 '22 16:08 tim-finnigan