Re: [PR] fix(secret): aws secret manager fails when the secret name contains a slash [apisix]

Thu, 11 Jun 2026 08:20:52 -0700 


nic-6443 commented on code in PR #13519:
URL: https://github.com/apache/apisix/pull/13519#discussion_r3397100882


##########
apisix/secret/aws.lua:
##########
@@ -93,47 +95,68 @@ local function make_request_to_aws(conf, key)
     end
 
     if res.status ~= 200 then
+        local err_type = type(res.body) == "table" and res.body.__type
+        local not_found = type(err_type) == "string"
+                          and find(err_type, "ResourceNotFoundException") ~= 
nil
+
         local data = core.json.encode(res.body)
         if data then
-            return nil, "invalid status code " .. res.status .. ", " .. data
+            return nil, "invalid status code " .. res.status .. ", " .. data, 
not_found
         end
 
-        return nil, "invalid status code " .. res.status
+        return nil, "invalid status code " .. res.status, not_found
     end
 
     return res.body.SecretString
 end
 
--- key is the aws secretId
+-- key is the aws secretId, optionally followed by a JSON field name.
+-- As AWS secret names may contain slashes, the boundary between the secret
+-- name and the field name is ambiguous. Try the longest possible secret name
+-- first, then on ResourceNotFound move path segments from the right into the
+-- field position, e.g. for "a/b/c": ("a/b/c"), ("a/b", "c"), ("a", "b/c").

Review Comment:
   Fixed in 300c4efe8 — the comment now says ResourceNotFoundException.



##########
apisix/secret/aws.lua:
##########
@@ -93,47 +95,68 @@ local function make_request_to_aws(conf, key)
     end
 
     if res.status ~= 200 then
+        local err_type = type(res.body) == "table" and res.body.__type
+        local not_found = type(err_type) == "string"
+                          and find(err_type, "ResourceNotFoundException") ~= 
nil
+
         local data = core.json.encode(res.body)
         if data then
-            return nil, "invalid status code " .. res.status .. ", " .. data
+            return nil, "invalid status code " .. res.status .. ", " .. data, 
not_found
         end
 
-        return nil, "invalid status code " .. res.status
+        return nil, "invalid status code " .. res.status, not_found
     end
 
     return res.body.SecretString
 end
 
--- key is the aws secretId
+-- key is the aws secretId, optionally followed by a JSON field name.
+-- As AWS secret names may contain slashes, the boundary between the secret
+-- name and the field name is ambiguous. Try the longest possible secret name
+-- first, then on ResourceNotFound move path segments from the right into the
+-- field position, e.g. for "a/b/c": ("a/b/c"), ("a/b", "c"), ("a", "b/c").
 function _M.get(conf, key)
     core.log.info("fetching data from aws for key: ", key)
 
-    local idx = find(key, '/')
-
-    local main_key = idx and sub(key, 1, idx - 1) or key
-    if main_key == "" then
+    if key == "" or find(key, '/') == 1 then
         return nil, "can't find main key, key: " .. key
     end
 
-    local sub_key = idx and sub(key, idx + 1) or nil
+    local main_key = key
+    local sub_key
+    local last_err
+    while true do
+        core.log.info("main: ", main_key, sub_key and ", sub: " .. sub_key or 
"")
 
-    core.log.info("main: ", main_key, sub_key and ", sub: " .. sub_key or "")
+        local res, err, not_found = make_request_to_aws(conf, main_key)
+        if res then
+            if not sub_key then
+                return res
+            end
 
-    local res, err = make_request_to_aws(conf, main_key)
-    if not res then
-        return nil, "failed to retrtive data from aws secret manager: " .. err
-    end
+            local data, err = core.json.decode(res)
+            if not data then
+                return nil, "failed to decode result, res: " .. res .. ", err: 
" .. err
+            end
 
-    if not sub_key then
-        return res
-    end
+            return data[sub_key]
+        end
+
+        last_err = err
+        if not not_found then
+            break
+        end
+
+        local idx = rfind_char(main_key, '/')
+        if not idx then
+            break
+        end
 
-    local data, err = core.json.decode(res)
-    if not data then
-        return nil, "failed to decode result, res: " .. res .. ", err: " .. err
+        main_key = sub(key, 1, idx - 1)
+        sub_key = sub(key, idx + 1)
     end
 
-    return data[sub_key]
+    return nil, "failed to retrtive data from aws secret manager: " .. last_err

Review Comment:
   Fixed in 300c4efe8, together with the test assertion on the message. The 
same pre-existing typo in gcp.lua/vault.lua is left for a separate cleanup 
since their tests also assert the current wording.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to