smartcontractkit · lukaszcl · Jan 16, 2025 · Jan 9, 2025 · Jan 9, 2025 · Jan 9, 2025
@@ -1,58 +1,176 @@
 # ghsecrets
 
-ghsecrets is a command-line tool designed to manage and set test secrets in GitHub via the GitHub CLI.
+`ghsecrets` is a command-line tool designed to manage and set test secrets in either:
+
+- **GitHub** (via the GitHub CLI), or
+- **AWS Secrets Manager**.
+
+This tool helps streamline the process of storing test secrets which can be referenced by your workflows or other services.
+
+---
 
 ## Installation
 
-To install ghsecrets CLI, you need to have Go installed on your machine. With Go installed, run the following command:
+To install the `ghsecrets` CLI, ensure you have Go installed. Then run:
 
 ```sh
 go install github.com/smartcontractkit/chainlink-testing-framework/tools/ghsecrets@latest
 ```
 
-Please install GitHub CLI to use this tool - https://cli.github.com/
+Note: If you plan to set secrets in GitHub, please also install the GitHub CLI (gh).
 
 ## Usage
 
-Set default test secrets from ~/.testsecrets file:
+### 1. Setting Secrets
+
+By default, `ghsecrets set` assumes you want to store secrets in AWS Secrets Manager, using a file from `~/.testsecrets` (if not specified). You can change the backend to GitHub, specify a custom file path, or share the AWS secret with other IAM principals. Below are common examples:
+
+#### a) Set secrets in AWS (default)
+
+> **⚠️ Note:** Ensure you authenticate with AWS before using the tool:
+>
+> ```sh
+> aws sso login --profile <your-aws-sdlc-profile>
+> ```
+> Use the **SDLC** profile in AWS 
+
+This will read from `~/.testsecrets` (by default) and create/update a secret in AWS Secrets Manager:
+
+```sh
+ghsecrets set --profile <your-aws-sdlc-profile>
+```
+
+If you’d like to specify a different file:
+
+```sh
+ghsecrets set --file /path/to/mysecrets.env --profile <your-aws-sdlc-profile>
+```
+
+If you’d like to specify a custom secret name:
 
 ```sh
-ghsecrets set
+ghsecrets set --secret-id my-custom-secret --profile <your-aws-sdlc-profile>
+```
+
+Note: For AWS backend, the tool automatically adds the `testsecrets/` prefix if it is missing. This ensures consistency and allows GitHub Actions to access all secrets with this designated prefix.
+
+If you’d like to share this secret with additional AWS IAM principals (e.g., a collaborator’s account):
+
+```sh
+ghsecrets set --shared-with arn:aws:iam::123456789012:role/SomeRole --profile <your-aws-sdlc-profile>
+```
+
+You can specify multiple ARNs using commas:
+
+```sh
+ghsecrets set --shared-with arn:aws:iam::123456789012:role/SomeRole,arn:aws:iam::345678901234:root --profile <your-aws-sdlc-profile>
+```
+
+#### b) Set secrets in GitHub
+
+```sh
+ghsecrets set --backend github
+```
+
+This will:
+1. Read from the default file (`~/.testsecrets`) unless `--file` is specified.
+2. Base64-encode the content.
+3. Create/update a GitHub secret using the GitHub CLI.
+
+### 2. Retrieving Secrets (AWS Only)
+
+If you want to retrieve an existing secret from AWS Secrets Manager, use:
+
+```sh
+ghsecrets get --secret-id testsecrets/MySecretName --profile <your-aws-sdlc-profile>
+```
+
+By default, it tries to decode a Base64-encoded test secret. To disable decoding use `--decode false` flag:
+
+```sh
+ghsecrets get --secret-id testsecrets/MySecretName --decode false --profile <your-aws-sdlc-profile>
 ```
 
 ## FAQ
 
-### Q: What should I do if I get "command not found: ghsecrets" after installation?
+<details>
+<summary><strong>Q: I get "command not found: ghsecrets" after installation. How do I fix this?</strong></summary>
+
+This error typically means the directory where Go installs its binaries is not in your system’s PATH. The binaries are usually installed in `$GOPATH/bin` or `$GOBIN`.
+
+Steps to fix:
+1. If you use `asdf`, run:
+
+    ```sh
+    asdf reshim golang
+    ```
+
+2. Otherwise, add your Go bin directory to PATH manually:
+    - Find your Go bin directory:
+
+    ```sh
+    echo $(go env GOPATH)/bin
+    ```
+
+    - Add it to your shell config (e.g., `~/.bashrc`, `~/.zshrc`):
+
+    ```sh
+    export PATH="$PATH:<path-to-go-bin>"
+    ```
+
+    - Reload your shell:
 
-This error typically means that the directory where Go installs its binaries is not included in your system's PATH. The binaries are usually installed in $GOPATH/bin or $GOBIN. Here's how you can resolve this issue:
+    ```sh
+    source ~/.bashrc  # or .zshrc, etc.
+    ```
 
-1. If you use `asdf` run `asdf reshim golang`
+3. Alternatively, run the tool using its full path without modifying PATH:
 
-2. Or, add Go bin directory to PATH:
+    ```sh
+    $(go env GOPATH)/bin/ghsecrets set
+    ```
 
-- First, find out where your Go bin directory is by running:
+</details>
 
-  ```sh
-  echo $(go env GOPATH)/bin
-  ```
+<details>
+<summary><strong>Q: What if my AWS SSO session expires?</strong></summary>
+
+If you see errors like `InvalidGrantException` when setting or retrieving secrets from AWS, your SSO session may have expired. Re-authenticate using:
+
+```sh
+aws sso login --profile <my-aws-profile>
+```
+
+Then try running `ghsecrets` again.
+
+</details>
+
+<details>
+<summary><strong>Q: What if I get an error that says "GitHub CLI not found"?</strong></summary>
+
+For GitHub secrets, this tool requires the GitHub CLI. Please install it first:
+
+```sh
+brew install gh
+# or
+sudo apt-get install gh
+```
+
+Then run:
+
+```sh
+gh auth login
+```
 
-  This command will print the path where Go binaries are installed, typically something like /home/username/go/bin
+and follow the prompts to authenticate.
 
-- Add the following line at the end of your shell config file (`.bashrc`, `.zshrc`), usually located at `~/`:
+</details>
 
-  ```sh
-  export PATH="$PATH:<path-to-go-bin>"
-  ```
+## Contributing
 
-- Apply the changes by sourcing the file:
-  ```sh
-  source ~/.bashrc  # Use the appropriate file like .zshrc if needed
-  ```
+Pull requests are welcome! For major changes, please open an issue first to discuss what you would like to change.
 
-3. Alternatively, run using the full path:
+## License
 
-   If you prefer not to alter your PATH, or if you are troubleshooting temporarily, you can run the tool directly using its full path:
+This project is licensed under the MIT License. Feel free to use, modify, and distribute it as needed.
 
-   ```sh
-   $(go env GOPATH)/bin/ghsecrets set
-   ```
@@ -2,9 +2,25 @@ module github.com/smartcontractkit/chainlink-testing-framework/tools/ghsecrets
 
 go 1.22.5
 
-require github.com/spf13/cobra v1.8.1
+require (
+	github.com/aws/aws-sdk-go-v2 v1.31.0
+	github.com/aws/aws-sdk-go-v2/config v1.27.39
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.33.3
+	github.com/aws/aws-sdk-go-v2/service/sts v1.31.3
+	github.com/spf13/cobra v1.8.1
+)
 
 require (
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.37 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.18 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.18 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.20 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.23.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.27.3 // indirect
+	github.com/aws/smithy-go v1.21.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 )

@@ -1,3 +1,31 @@
+github.com/aws/aws-sdk-go-v2 v1.31.0 h1:3V05LbxTSItI5kUqNwhJrrrY1BAXxXt0sN0l72QmG5U=
+github.com/aws/aws-sdk-go-v2 v1.31.0/go.mod h1:ztolYtaEUtdpf9Wftr31CJfLVjOnD/CVRkKOOYgF8hA=
+github.com/aws/aws-sdk-go-v2/config v1.27.39 h1:FCylu78eTGzW1ynHcongXK9YHtoXD5AiiUqq3YfJYjU=
+github.com/aws/aws-sdk-go-v2/config v1.27.39/go.mod h1:wczj2hbyskP4LjMKBEZwPRO1shXY+GsQleab+ZXT2ik=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.37 h1:G2aOH01yW8X373JK419THj5QVqu9vKEwxSEsGxihoW0=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.37/go.mod h1:0ecCjlb7htYCptRD45lXJ6aJDQac6D2NlKGpZqyTG6A=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14 h1:C/d03NAmh8C4BZXhuRNboF/DqhBkBCeDiJDcaqIT5pA=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14/go.mod h1:7I0Ju7p9mCIdlrfS+JCgqcYD0VXz/N4yozsox+0o078=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.18 h1:kYQ3H1u0ANr9KEKlGs/jTLrBFPo8P8NaH/w7A01NeeM=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.18/go.mod h1:r506HmK5JDUh9+Mw4CfGJGSSoqIiLCndAuqXuhbv67Y=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.18 h1:Z7IdFUONvTcvS7YuhtVxN99v2cCoHRXOS4mTr0B/pUc=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.18/go.mod h1:DkKMmksZVVyat+Y+r1dEOgJEfUeA7UngIHWeKsi0yNc=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.5 h1:QFASJGfT8wMXtuP3D5CRmMjARHv9ZmzFUMJznHDOY3w=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.5/go.mod h1:QdZ3OmoIjSX+8D1OPAzPxDfjXASbBMDsz9qvtyIhtik=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.20 h1:Xbwbmk44URTiHNx6PNo0ujDE6ERlsCKJD3u1zfnzAPg=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.20/go.mod h1:oAfOFzUB14ltPZj1rWwRc3d/6OgD76R8KlvU3EqM9Fg=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.33.3 h1:W2M3kQSuN1+FXgV2wMv1JMWPxw/37wBN87QHYDuTV0Y=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.33.3/go.mod h1:WyLS5qwXHtjKAONYZq/4ewdd+hcVsa3LBu77Ow5uj3k=
+github.com/aws/aws-sdk-go-v2/service/sso v1.23.3 h1:rs4JCczF805+FDv2tRhZ1NU0RB2H6ryAvsWPanAr72Y=
+github.com/aws/aws-sdk-go-v2/service/sso v1.23.3/go.mod h1:XRlMvmad0ZNL+75C5FYdMvbbLkd6qiqz6foR1nA1PXY=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.27.3 h1:S7EPdMVZod8BGKQQPTBK+FcX9g7bKR7c4+HxWqHP7Vg=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.27.3/go.mod h1:FnvDM4sfa+isJ3kDXIzAB9GAwVSzFzSy97uZ3IsHo4E=
+github.com/aws/aws-sdk-go-v2/service/sts v1.31.3 h1:VzudTFrDCIDakXtemR7l6Qzt2+JYsVqo2MxBPt5k8T8=
+github.com/aws/aws-sdk-go-v2/service/sts v1.31.3/go.mod h1:yMWe0F+XG0DkRZK5ODZhG7BEFYhLXi2dqGsv6tX0cgI=
+github.com/aws/smithy-go v1.21.0 h1:H7L8dtDRk0P1Qm6y0ji7MCYMQObJ5R9CRpyPhRUkLYA=
+github.com/aws/smithy-go v1.21.0/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=