envilder
Version:
A CLI and GitHub Action that securely centralizes your environment variables from AWS SSM or Azure Key Vault as a single source of truth
70 lines • 3.15 kB
JavaScript
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
import { GetParametersCommand } from '@aws-sdk/client-ssm';
import { ExpiredCredentialsError, isExpiredCredentialsError, } from '../../domain/expired-credentials-error.js';
import { isSsoSessionExpiredError, SsoSessionExpiredError, } from '../../domain/sso-session-expired-error.js';
const SSM_BATCH_SIZE = 10;
/**
* {@link ISecretProvider} backed by AWS SSM Parameter Store.
*
* Parameters are retrieved with decryption enabled so that
* SecureString values are returned in plain text.
*
* SSM supports fetching up to 10 parameters per request,
* so names are chunked into batches automatically.
*/
export class AwsSsmSecretProvider {
constructor(ssmClient, profile) {
if (!ssmClient) {
throw new Error('ssmClient cannot be null');
}
this.ssmClient = ssmClient;
this.profile = profile;
}
getSecrets(names) {
return __awaiter(this, void 0, void 0, function* () {
var _a;
const result = new Map();
if (names.length === 0) {
return result;
}
for (const name of names) {
if (!(name === null || name === void 0 ? void 0 : name.trim())) {
throw new Error('Secret name cannot be null or whitespace');
}
}
for (let i = 0; i < names.length; i += SSM_BATCH_SIZE) {
const batch = names.slice(i, i + SSM_BATCH_SIZE);
try {
const response = yield this.ssmClient.send(new GetParametersCommand({
Names: batch,
WithDecryption: true,
}));
for (const param of (_a = response.Parameters) !== null && _a !== void 0 ? _a : []) {
if (param.Name && param.Value != null) {
result.set(param.Name, param.Value);
}
}
}
catch (error) {
if (isSsoSessionExpiredError(error)) {
throw new SsoSessionExpiredError(this.profile, error);
}
if (isExpiredCredentialsError(error)) {
throw new ExpiredCredentialsError(error);
}
throw error;
}
}
return result;
});
}
}
//# sourceMappingURL=aws-ssm-secret-provider.js.map