Have a mechanism for finding services

[majormoses]

Currently you can list all the secrets for a service but there is no way to find what the service is called. I think there should be some command to help with this.

[osterman]

Agree, this would be helpful.

[nickatsegment]

I'm not sure off the top of my head whether we add any metadata to SSM to indicate that it's a chamber secret.

Could you not just use the AWS CLI? Eg. aws ssm get-parameters-by-path --path /

[majormoses]

Could you not just use the AWS CLI? Eg. aws ssm get-parameters-by-path --path /

We have tens of thousands of parameters, someone on our team tested this (using --recursive) in one of our accounts and it took something like a full day to complete. His exact command was:

aws-vault exec MY_ACCOUNT -- aws ssm get-parameters-by-path --path / --recursive  | jq  '.Parameters|.[]|.Name' | awk -F\" {'print $2'} 

[nickatsegment]

Hm, that's strange: I listed our secrets (2.5k) in about 10 seconds...

Chamber would have to use the same API call, so it wouldn't be any faster.

[majormoses]

We have had to for some accounts needed to raise the default limit of 10k secrets so its probably an issue of scalability. We may be running into rate limits which could explain why with a very large number of secrets it takes a much longer amount of time.

[nickatsegment]

Yeah, that makes sense. I'm sure we've had to have our limits increased at some point.

[nickatsegment]

With the SSM backend at least, there's no way I can think of that would be better in terms of UX or efficiency than just using the AWS CLI. Counterpoints appreciated.

[majormoses]

With the SSM backend at least, there's no way I can think of that would be better in terms of UX or efficiency than just using the AWS CLI. Counterpoints appreciated.

I agree there is probably not anything from a performance perspective but needing to memorize/type/alias from a UX perspective this is pretty far from ideal:

aws ssm get-parameters-by-path --path / --recursive  | jq  '.Parameters|.[]|.Name' | awk -F\" {'print $2'} 

Would like there to be something much simpler such as chamber list-secrets even if all it did was execute that command on the users behalf.

[nickatsegment]

Yeah, you're right. I can see value in that. Especially if you were working with multiple backends or the v1/v2 migration.

I'd say list-services would be a slightly better name to keep with the metaphors of services containing many secrets.

We'd need to make sure each backend is supported, and probably add a new func to the store interface, say ListServices.

I've added the help wanted label, since I don't think the maintainers at Segment have an immediate need for this.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[majormoses]

Can we leave this open until someone implements it?

[nickatsegment]

@majormoses Yep, stalebot removed the wontfix staleness label because you commented. I kind of yolo'd the addition of stalebot, and intend to cut a doc explaining it soon. #192

[stale]

This issue has been automatically marked stale because it has not had any activity in the last 60 days. If no further activity occurs within 7 days, it will be closed. Closed does not mean "never", just that it has no momentum to get accomplished any time soon.
See CONTRIBUTING.md for more info.

[normoes]

I wrote my own script to do this.
Check it out, it's called aws-ssm-pstore.

https://github.com/normoes/aws-helpers

It uses aws-vault internally and can be used with pass as password backend.

[stale]

This issue has been automatically marked stale because it has not had any activity in the last 60 days. If no further activity occurs within 7 days, it will be closed. Closed does not mean "never", just that it has no momentum to get accomplished any time soon.
See CONTRIBUTING.md for more info.

[jondkelley]

Let's leave this open, bot.

[nickatsegment]

Anyone wanna pick this up? Us maintainers don't have a use for it.

[normoes]

@nickatsegment Do you have any hints on where to start for everyone interested but not familiar with the code at all?

Maybe a link to the file/function that handles a similar funcitonality, like listing the parameters to get an idea.

[nickatsegment]

I realized after writing this that there was an open PR awaiting my review that solves this problem (for SSM backend at least) #187

It's not got a release yet, but feel free to try it out. I tested it only briefly.

I suspect most folks use the SSM backend, so I'm going to consider this fixed. Let me know if that's not true.

[normoes]

Looks like that's it.