Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need same diagnostic logging for both optional and required config data import. #864

Closed
thorntonrp opened this issue Aug 9, 2023 · 1 comment · Fixed by #928
Closed

Need same diagnostic logging for both optional and required config data import. #864

thorntonrp opened this issue Aug 9, 2023 · 1 comment · Fixed by #928
Labels
component: parameter-store Parameter Store integration related issue component: secrets-manager Secrets Manager integration related issue type: enhancement Smaller enhancement in existing integration
Milestone
3.0.3

Comments

@thorntonrp
Copy link
Contributor

thorntonrp commented Aug 9, 2023
edited
Loading

Type: Feature

Component:

  • Secrets Manager
  • Parameter Store

Is your feature request related to a problem? Please describe.

When using the config import feature for both AWS Secrets Manager and Parameter Store, if the secret or parameter is required (not prefixed with "optional:") and cannot be found, diagnostic messaging is missing. When using "optional:" import, the diagnostic messaging is logged.

First example config:

spring:
  config:
    import:
      - "aws-secretsmanager:demo-dev" 
      - "aws-parameterstore:/demo-dev/"

When using the config import feature for both AWS Secrets Manager and Parameter Store, if the secret or parameter is required (not prefixed with "optional:") and cannot be found, only the following message is printed:

22:25:38.162 [restartedMain] ERROR org.springframework.boot.diagnostics.LoggingFailureAnalysisReporter -- 

***************************
APPLICATION FAILED TO START
***************************

Description:

Config data resource '[SecretsManagerConfigDataResource@1678b7be context = 'demo-dev', optional = false]' via location 'aws-secretsmanager:demo-dev' does not exist

Action:

Check that the value 'aws-secretsmanager:demo-dev' at class path resource [application.yaml] - 7:9 is correct, or prefix it with 'optional:'

The problem is that the reason for the secret not being found is not included in the output.

Second example config (optional import):

spring:
  config:
    import:
      - "optional:aws-secretsmanager:demo-dev" 
      - "optional:aws-parameterstore:/demo-dev/"

However, if I prefix the config import with "optional:", I get a WARN log message that includes the precise reason why it could not be found (e.g., wrong region, wrong IAM policy, or wrong name). For example:

2023-08-09T22:33:42.750Z  INFO 8534 --- [  restartedMain] .a.c.a.c.s.SecretsManagerPropertySources : Loading secrets from AWS Secret Manager secret with name: demo-dev, optional: true
2023-08-09T22:33:42.750Z  WARN 8534 --- [  restartedMain] .a.c.a.c.s.SecretsManagerPropertySources : Unable to load AWS secret from demo-dev. User: arn:aws:sts::012345678901:assumed-role/aws-cloud-admin/[email protected] is not authorized to perform: secretsmanager:GetSecretValue on resource: demo-dev with an explicit deny in a service control policy (Service: SecretsManager, Status Code: 400, Request ID: d56e7b7f-c589-4ae8-8550-e9ff8a9fa8eb)

Describe the solution you'd like

It would be nice in the fail-fast scenario when requiring the import to exist if the failure output would include the same diagnostic information or if this information could at least be logged before the failure output.

Describe alternatives you've considered

Currently, I'm instructing my engineers to put "optional:" on their required config imports and run the application again to get the diagnostic logging. This is an acceptable stop-gap solution, but it's inefficient time-wise to wait for an automated build & deploy process to complete.

Additional context

I'm willing to submit a PR if that will help get this done more quickly.
@maciejwalkowiak
Copy link
Contributor

maciejwalkowiak commented Oct 30, 2023
edited
Loading

@thorntonrp thanks for reporting. I'll add logging for both optional and required import.

@maciejwalkowiak maciejwalkowiak added component: parameter-store Parameter Store integration related issue component: secrets-manager Secrets Manager integration related issue type: enhancement Smaller enhancement in existing integration labels Oct 30, 2023
@maciejwalkowiak maciejwalkowiak added this to the 3.0.3 milestone Oct 30, 2023
maciejwalkowiak added a commit that referenced this issue Oct 30, 2023
@maciejwalkowiak
Log reason why retrieving secrets failed.
bd3f870 
Fixes #864
@maciejwalkowiak maciejwalkowiak mentioned this issue Oct 30, 2023
Merged
maciejwalkowiak added a commit that referenced this issue Oct 30, 2023
@maciejwalkowiak
Log reason why retrieving secrets failed.
874d98a 
Fixes #864
maciejwalkowiak added a commit that referenced this issue Oct 30, 2023
@maciejwalkowiak
Log reason why retrieving secrets and parameters failed. (#928)
5b0f250 
Fixes #864
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component: parameter-store Parameter Store integration related issue component: secrets-manager Secrets Manager integration related issue type: enhancement Smaller enhancement in existing integration
Projects
None yet
Milestone
3.0.3
Development

Successfully merging a pull request may close this issue.

Log reason why retrieving secrets failed. awspring/spring-cloud-aws
2 participants
@maciejwalkowiak @thorntonrp