Skip to content

fix(secret): aws secret manager fails when the secret name contains a slash#13519

Merged
nic-6443 merged 2 commits into
apache:masterfrom
nic-6443:fix/aws-secret-name-slash-11647
Jun 12, 2026
Merged

fix(secret): aws secret manager fails when the secret name contains a slash#13519
nic-6443 merged 2 commits into
apache:masterfrom
nic-6443:fix/aws-secret-name-slash-11647

Conversation

@nic-6443

Copy link
Copy Markdown
Member

Description

AWS Secrets Manager allows slashes in secret names, but apisix/secret/aws.lua splits the key at the first slash. For $secret://aws/1/john/secret/john-key-auth where the secret is actually named john/secret, APISIX sends SecretId=john and treats secret/john-key-auth as the JSON field name, so the lookup fails with ResourceNotFoundException (vault.lua, by contrast, splits at the last slash).

The reference URI is inherently ambiguous — there is no way to know upfront where the secret name ends and the JSON field begins. This PR resolves it with a longest-name-first fallback: first try the whole remaining key as the SecretId with no field, and on ResourceNotFoundException progressively move path segments from the right into the field position, e.g. for john/secret/john-key-auth:

  1. SecretId=john/secret/john-key-auth (no field)
  2. SecretId=john/secret, field john-key-auth
  3. SecretId=john, field secret/john-key-auth

The first successful lookup wins. A definitive non-NotFound error (e.g. auth failure, connection error) aborts immediately instead of trying more splits. Keys without slashes behave exactly as before, and since apisix/secret.lua caches resolved values by URI in an lrucache, the extra requests only happen on cache miss.

Precedence note: the old behavior always split at the first slash. If both interpretations exist (a secret literally named john containing the field secret/john-key-auth and a secret named john/secret), the longest matching secret name now takes precedence. This rule is documented in the secret terminology doc (en + zh).

#11655 attempted to fix this earlier but went stale; this PR picks the issue up with the fallback-resolution approach and adds regression tests (slash-named secret with field lookup, full key as secret name, end-to-end $secret:// URI resolution), with the corresponding secrets seeded into the localstack used by CI.

Which issue(s) this PR fixes:

Fixes #11647

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (see the precedence note above for the only behavioral edge case)

@nic-6443 nic-6443 marked this pull request as ready for review June 11, 2026 13:19
Copilot AI review requested due to automatic review settings June 11, 2026 13:19
@dosubot dosubot Bot added size:L This PR changes 100-499 lines, ignoring generated files. bug Something isn't working labels Jun 11, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes AWS Secrets Manager lookups when secret names contain / by changing APISIX’s $secret://aws/... resolution to try the longest possible secret name first and progressively shift trailing path segments into the JSON field portion only on ResourceNotFoundException. It also adds regression tests, updates documentation to describe the precedence rule, and seeds additional test secrets into the CI localstack environment.

Changes:

  • Update apisix/secret/aws.lua to implement longest-name-first fallback splitting (right-to-left) on NotFound.
  • Add tests covering slash-containing secret names, “full key is the secret name” behavior, and end-to-end $secret://aws/... resolution.
  • Document the new precedence rule in EN/ZH terminology docs and seed corresponding secrets in CI localstack.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
apisix/secret/aws.lua Implements fallback lookup logic for slash-containing secret names by shifting segments from right to field name on NotFound.
t/secret/aws.t Adds regression tests for slash-named secrets, full-path secret names, and $secret:// URI resolution.
ci/init-common-test-service.sh Seeds new localstack secrets used by the new tests.
docs/en/latest/terminology/secret.md Documents the new AWS slash-name precedence/lookup behavior.
docs/zh/latest/terminology/secret.md Same documentation update in Chinese.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread apisix/secret/aws.lua
Comment thread apisix/secret/aws.lua Outdated
Comment thread docs/en/latest/terminology/secret.md Outdated
Comment thread docs/zh/latest/terminology/secret.md Outdated
@nic-6443 nic-6443 requested a review from membphis June 12, 2026 01:26
@nic-6443 nic-6443 merged commit 5750d4f into apache:master Jun 12, 2026
34 checks passed
@nic-6443 nic-6443 deleted the fix/aws-secret-name-slash-11647 branch June 12, 2026 03:04
wistefan pushed a commit to wistefan/apisix that referenced this pull request Jun 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

bug: failed to retrtive data from aws secret manager when the secret name contains a slash /

5 participants