Secrets Manager Datasource Doesn't Appear to Work

[sjiveson]

./gomplate --version
gomplate version 4.1.0

aws --version
aws-cli/1.24.10 Python/3.6.8 Linux/4.18.0-553.8.1.el8_10.x86_64 botocore/1.26.10

cat /etc/redhat-release
Red Hat Enterprise Linux release 8.10 (Ootpa)

Hi,

I'm attempting to retrieve secrets using AWS Secrets Manager (on an EC2 instance), however, I'm getting this error:

ec2-user]# ./gomplate --verbose -d 'foo=aws+sm:' -i '{{ ds "foo" "goemplate" }}'
13:32:18 DBG starting gomplate
13:32:18 DBG config is:
---
datasources:
  foo:
    header: {}
    url: 'aws+sm:'
in: '{{ ds "f...'
 version=4.1.0 build=cc2584028866967a39b096265d5b9af4516c734f
13:32:18 DBG completed rendering templatesRendered=0 errors=1 duration=84.088165ms
13:32:18 ERR  err="renderTemplate: failed to render template <arg>: template: <arg>:1:3: executing \"<arg>\" at <ds \"foo\" \"goemplate\">: error calling ds: couldn't read datasource 'foo' (aws+sm:///goemplate): stat (url: \"aws+sm:///\", name: \"goemplate\"): stat goemplate: file does not exist"

Looking at my CloudTrail logs, I'm seeing this:

...
errorCode	ResourceNotFoundException
errorMessage	Secrets Manager can't find the specified secret.
eventCategory	Management
eventID	NNee72f2-f237-4467-81b4-fe0d81f8cNNN
eventName	GetSecretValue
eventSource	secretsmanager.amazonaws.com
eventTime	2024-07-23T13:23:37Z
eventType	AwsApiCall
eventVersion	1.09
managementEvent	1
readOnly	1
requestParameters.secretId	/goemplate
...

As you can see on that last line, a forward slash is being included at the start of the secretId when it shouldn't be. This also occurs if I specify, for instance, goemplate/something or goemplate/something/something.

Any assistance appreciated and thanks for a great tool.

[hairyhenderson]

I think this may a duplicate to #2180 - as a workaround, try setting the region?

[sjiveson]

It's not that unfortunately, the error message when I hadn't was very clear which was nice:

15:46:40 ERR  err="renderTemplate: failed to render template one.txt.tmpl: template: one.txt.tmpl:1:32: executing \"one.txt.tmpl\" at <ds \"testsource\" \"/goemplate/awssm/test\">: error calling ds: couldn't read datasource 'testsource' (aws+sm:///goemplate/awssm/test): stat (url: \"aws+sm:///\", name: \"goemplate/awssm/test\"): stat test: getSecretValue: operation error Secrets Manager: GetSecretValue, failed to resolve service endpoint, endpoint rule error, Invalid Configuration: Missing Region"

[hairyhenderson]

Ah - this reminds me of some strangeness I had to deal with in the old v3 implementation. Looks like some of that got lost in the v4/go-fsimple shuffle.

[github-actions]

This issue is stale because it has been open for 60 days with no
activity. If it is no longer relevant or necessary, please close it.
Given no action, it will be closed in 14 days.

If it's still relevant, one of the following will remove the stale
marking:

• A maintainer can add this issue to a milestone to indicate that
  it's been accepted and will be worked on
• A maintainer can remove the stale label
• Anyone can post an update or other comment

[sjiveson]

I'm not capable but a fix would still be much appreciated