nautobot-app-secrets-providers icon indicating copy to clipboard operation
nautobot-app-secrets-providers copied to clipboard

Published 20 hours ago verified publisher icon nautobot

`secret_value` in AWS provider not getting set

Open qduk opened this issue 2 years ago • 1 comments

Environment

  • Python version: 3.8.10
  • Nautobot version: 1.2.7
  • secrets version: 1.3.0

Expected Behavior

The error message from AWS to be passed into the joblogs/jobresult. The below error is printed when I print the err caught in the block here Dec 22 18:04:17 ip-172-16-11-138 nautobot-server[2211358]: [2022-12-22 18:04:17,668: WARNING/ForkPoolWorker-31] An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::*********:assumed-role/nautobot-stg-webserver-permissions-role/********** is not authorized to perform: secretsmanager:GetSecretValue on resource: sharepoint_account because no identity-based policy allows the secretsmanager:GetSecretValue action

Observed Behavior

The secret_value never gets set so a UnboundLocalError exception is thrown.

Traceback (most recent call last): File "/opt/nautobot/.local/lib/python3.8/site-packages/nautobot/extras/models/secrets.py", line 94, in get_value return provider.get_value_for_secret(self, obj=obj) File "/opt/nautobot/.local/lib/python3.8/site-packages/nautobot_secrets_providers/providers/aws.py", line 94, in get_value_for_secret data = json.loads(secret_value) UnboundLocalError: local variable 'secret_value' referenced before assignment The above exception was the direct cause of the following exception: Traceback (most recent call last): File "/usr/lib/python3.8/code.py", line 90, in runcode exec(code, self.locals) File "<console>", line 1, in <module> File "/opt/nautobot/.local/lib/python3.8/site-packages/nautobot/extras/models/secrets.py", line 98, in get_value raise SecretError(self, provider, str(exc)) from exc nautobot.extras.secrets.exceptions.SecretError: SecretError: Secret "sharepoint_username" (provider "AWSSecretsManagerSecretsProvider"): local variable 'secret_value' referenced before assignment

Steps to Reproduce

  1. Create a secret in AWS
  2. Create a secret in Nautobot
  3. Use an instance profile that does not have access to the AWS secret.
  4. Try to retrieve the secret value either via CLI or a job.

qduk avatar Dec 22 '22 19:12 qduk

Hi @qduk,

I'll assume you figured this out in the last 14 months, however I thought it would be good to post our fix here for the next wayward soul struggling with the same error.

We found our IAM role, assigned to our EC2 instance, was too restrictive. Specifically, we had limited the secrets manager permissions to specific resources. When we added a new resource, we receive the error posted in the initial comment.

Here's what our role looked like, we expanded the vaules under the "Resource" key.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAccessToSpecificSecrets",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret"
            ],
            "Resource": [
                "arn:aws:secretsmanager:<regoin>:<account>:secret:<secret-name>"
            ]
        }
    ]
}

If the maintainers are still here, better error handling/presentation would be greatly appreciated.

CameronEx avatar Mar 17 '24 06:03 CameronEx

Potentially add a new exception for AccessDeniedException

DistantVoyager avatar Jun 21 '24 21:06 DistantVoyager