Skip to content

Update Runner's Secrets Resolver for AWS Secrets Manager

Description

Modify GitLab Runner's secrets resolver to process AWS Secrets Manager requests and handle errors properly. This is the Runner-side component that will retrieve secrets from AWS Secrets Manager during pipeline execution.

Goals

  • Update Runner's secrets resolver to recognize AWS Secrets Manager provider type
  • Implement handling for AWS Secrets Manager request parameters
  • Ensure proper error handling and reporting
  • Maintain compatibility with existing secret providers

Implementation Plan

  1. Locate the main secrets resolver in GitLab Runner
  2. Add handling for "aws-secret-manager" provider type
  3. Extract necessary parameters from the request
  4. Call the AWS Secrets Manager client with appropriate parameters
  5. Handle and report errors appropriately

Key code changes will include:

// helpers/secrets/resolver.go (or similar)

func (r *Resolver) Resolve(ctx context.Context, secret Secret) (string, error) {
    switch secret.Provider {
    // Existing providers...
    
    case "aws-secret-manager":
        return r.resolveAWSSecret(ctx, secret)
    
    default:
        return "", fmt.Errorf("unknown secret provider: %s", secret.Provider)
    }
}

// Implementation of resolveAWSSecret method to handle AWS-specific parameters
func (r *Resolver) resolveAWSSecret(ctx context.Context, secret Secret) (string, error) {
    // Extract required and optional parameters
    name, region, versionID, versionStage := extractAWSParameters(secret)
    
    // Call AWS client
    // Handle errors
    // Return secret value
}

Testing Plan

  1. Write unit tests that verify:

    • AWS Secrets Manager requests are correctly identified
    • Required parameters are properly extracted
    • Client is called with correct parameters
    • Error conditions are properly handled and reported

  2. Test error conditions:

    • Missing required parameters
    • Authentication failures
    • AWS service errors

Acceptance Criteria

  • Runner's secrets resolver correctly identifies AWS Secrets Manager requests
  • Required parameters are properly extracted and validated
  • AWS Secrets Manager client is called with correct parameters
  • Error conditions are properly handled and reported
  • All tests pass

Dependencies

  • Implement AWS Secrets Manager Client in Runner
Edited by Aditya Tiwari