localstack icon indicating copy to clipboard operation
localstack copied to clipboard
verified publisher icon localstack

bug: secret manager always returning base64 encoded string even in GoSDK

Open MathiasVandePol opened this issue 1 year ago • 1 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Current Behavior

When using the Go aws SDK, It seems that localstack somehow always returns a base64 encoded secretBinary even though this should not happen for the GoSDK (and others besides Python?)

https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html#API_GetSecretValue_ResponseSyntax

The decrypted secret value, if the secret value was originally provided as binary data in the form of a byte array. When you retrieve a SecretBinary using the HTTP API, the Python SDK, or the AWS CLI, the value is Base64-encoded. Otherwise, it is not encoded.

Expected Behavior

Return a non base64 encoded binary

How are you starting LocalStack?

With a docker-compose file

Steps To Reproduce

Below is some go code that works if the awsEndpoint is not overriden to localstack.

package main

import (
	"context"
	"fmt"
	"log"

	"github.com/aws/aws-sdk-go-v2/aws"
	"github.com/aws/aws-sdk-go-v2/config"
	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
)

func main() {
	// $ touch secrets.json
	// $ cat > secrets.json << EOF
	// {
	//   "username": "admin",
	//   "password": "password"
	// }
	// EOF
	// $ awslocal secretsmanager create-secret --name xxx --secret-binary fileb://secrets.json

	secretName := "xxx"

	awsEndpoint := "http://localhost:4566"
	awsRegion := "us-east-1"

	awsCfg, err := config.LoadDefaultConfig(context.TODO(),
		config.WithRegion(awsRegion),
	)
	if err != nil {
		log.Fatal(err)
	}

	// Create Secrets Manager client
	svc := secretsmanager.NewFromConfig(awsCfg, func(o *secretsmanager.Options) {
		o.BaseEndpoint = aws.String(awsEndpoint)
	})

	input := &secretsmanager.GetSecretValueInput{
		SecretId: aws.String(secretName),
	}

	result, err := svc.GetSecretValue(context.TODO(), input)
	if err != nil {
		log.Fatal(err)
	}
	fmt.Printf("%s", result.SecretBinary) // This should print the json but it prints a base64 encoded string
}

Environment

- OS:
- LocalStack:
  LocalStack version:
  LocalStack Docker image sha:
  LocalStack build date:
  LocalStack build git hash:

Anything else?

No response

MathiasVandePol avatar Aug 06 '24 18:08 MathiasVandePol

Welcome to LocalStack! Thanks for reporting your first issue and our team will be working towards fixing the issue for you or reach out for more background information. We recommend joining our Slack Community for real-time help and drop a message to LocalStack Pro Support if you are a Pro user! If you are willing to contribute towards fixing this issue, please have a look at our contributing guidelines and our contributing guide.

localstack-bot avatar Aug 06 '24 18:08 localstack-bot

Hi @MathiasVandePol! This issue has been addressed in #11535. Could you please give us some feedback if this resolved your issue? The fix is containe in the latest release (3.8.1) as well as in the latest images.

alexrashed avatar Oct 30 '24 13:10 alexrashed

As far as I can tell regression has been fixed - my tests are passing with 3.8.1: https://github.com/awspring/spring-cloud-aws/pull/1217

maciejwalkowiak avatar Oct 30 '24 19:10 maciejwalkowiak