-
Notifications
You must be signed in to change notification settings - Fork 0
/
custom_aws_secrets_helper.py
50 lines (40 loc) · 1.74 KB
/
custom_aws_secrets_helper.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
import json
import boto3
from botocore.exceptions import ClientError, NoCredentialsError
# AWS Secrets Manager:
AWS_REGION = "<AWS_REGION>" # Replace <AWS_REGION> with your AWS region
AWS_ROLE_ARN = "<AWS_ROLE_ARN>" # Replace <AWS_ROLE_ARN> with your AWS role ARN
AWS_ROLE_SESSION_NAME = "<AWS_ROLE_SESSION_NAME>" # Replace <AWS_ROLE_SESSION_NAME> with the name you want to give to that session, e.g. PantherGetSecrets.
def get_secret(secret_name: str) -> dict:
"""
Fetches secrets from AWS secrets manager using assume role.
Args:
secret_name: the required secret to fetch.
Returns:
Json with the content of the required secret
"""
try:
sts_client = boto3.client(service_name="sts", region_name=AWS_REGION)
resp = sts_client.assume_role(
RoleArn=AWS_ROLE_ARN,
RoleSessionName=AWS_ROLE_SESSION_NAME,
)
credentials = resp.get("Credentials")
sec_client = boto3.client(
service_name="secretsmanager",
region_name=AWS_REGION,
aws_access_key_id=credentials["AccessKeyId"],
aws_secret_access_key=credentials["SecretAccessKey"],
aws_session_token=credentials["SessionToken"],
)
except NoCredentialsError:
return {"ERROR": "No trust connection to AWS secrets manager"}
try:
get_secret_value_response = sec_client.get_secret_value(SecretId=secret_name)
# Decrypts secret using the associated KMS key.
secret = get_secret_value_response["SecretString"]
except ClientError as error_message:
return {"ERROR": str(error_message)}
except NoCredentialsError:
return {"ERROR": "No trust connection to AWS secrets manager"}
return json.loads(secret)