fix(operator): resolve_string mishandled ECS-native :jsonKey:: suffix#1288
Merged
Conversation
Found via live E2E testing right after #1285 merged: applying a real manifest using the ECS-native valueFrom ARN format (the one the README itself documents as Format 1) failed with 'failed to resolve TELEGRAM_BOT_TOKEN', because resolve_string passed the full value - including the trailing :<jsonKey>:: suffix - straight to GetSecretValue's secret_id parameter. That suffix is purely an ECS valueFrom convention (resolved by ECS itself at container launch, via register_task_definition), not something the Secrets Manager API understands; AWS docs confirm SecretId only ever accepts a plain ARN or name. The previous doc comment's claim that 'GetSecretValue resolves natively' was simply wrong. Fix: add split_ecs_json_key_suffix to detect and strip the ECS-only suffix from an ARN-shaped value, then extract the JSON key manually - the same way the aws-sm://...#... path already did. resolve_value_from (used for the actual ECS task definition, where ECS does understand the suffix) is unaffected. Verified live: re-ran oabctl apply against the real manifest (TELEGRAM_BOT_TOKEN as an ECS-native ARN with the JSON-key suffix) - now prints '✓ Telegram webhook registered: Webhook was set' instead of the previous resolution failure. Testing: cargo build/clippy --all-targets -D warnings/test clean on macmini; 29/29 tests pass (3 new, including the exact real-world ARN value that surfaced the bug as a regression test).
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Two real gaps found in code review of the initial fix:
1. arn:...:secret:mysecret:: was misparsed as json-key='mysecret' when
it's actually a full-secret-value reference where 'mysecret' is
part of the secret name/base ARN, with all three optional ECS
suffix fields empty. Fixed by locating the unambiguous ':secret:'
marker and treating everything up to the next colon as the
secret-name segment (which per AWS's own docs never contains a
colon), rather than blindly rsplit'ing on the last colon.
2. The ECS valueFrom suffix actually has three positional fields, not
one: <json-key>:<version-stage>:<version-id> (confirmed against
AWS's ECS docs' worked examples for referencing a specific
key/version). The previous implementation only handled the
json-key-only case and silently fell through to 'no suffix' for
any value with a non-empty version-stage or version-id, which
would then fail at GetSecretValue with a confusing error. Now
parses all three fields and fails closed with a clear, specific
error when a version is pinned - oabctl's own use case (fetching a
secret's plaintext value in-process) never needs to pin a
rotation version, so this is an intentional, documented
limitation rather than a silent misparse.
Testing: cargo build/clippy --all-targets -D warnings/test clean on
macmini; 33/33 tests pass (7 new, covering both findings using AWS's
own documented example ARN shapes). Re-verified live against the real
manifest from the original bug report - still resolves correctly
('Webhook is already set'), confirming no regression.
Collaborator
Author
|
LGTM ✅ — Real bug fix with solid, well-tested ECS suffix parsing that handles all documented ARN shapes correctly. What This PR DoesFixes How It WorksAdds
Findings
Baseline Check
What's Good (🟢)
|
thepagent
approved these changes
Jul 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a real bug found within minutes of merging #1285 by re-testing
oabctl applylive against a real manifest.resolve_string(used to fetchTELEGRAM_BOT_TOKEN's plaintext value forthe new auto-
setWebhookcall) claimed in its doc comment thatGetSecretValue"resolves natively" an ARN carrying the ECS-only:<jsonKey>::suffix — that claim was simply wrong. AWS's own docs confirmGetSecretValue'sSecretIdparameter only ever accepts a plain ARN orsecret name; the
:<jsonKey>::JSON-key-extraction suffix is purely an ECSvalueFromconvention, resolved by ECS itself at container launch viaregister_task_definition, not something the Secrets Manager APIunderstands at all.
Result: any manifest using the ECS-native
valueFromARN format forTELEGRAM_BOT_TOKEN— which is Format 1 in the README, i.e. the more commonof the two documented formats — failed webhook registration with
failed to resolve TELEGRAM_BOT_TOKEN, even though the exact same value works fine asan ECS task-definition secret (that path goes through
resolve_value_from,which never had this bug).
Fix
Added
split_ecs_json_key_suffix, which detects and strips the ECS-onlysuffix from an ARN-shaped value (only ARNs — a bare secret name is never
split), then
resolve_stringextracts the JSON key manually from thefetched secret string — the same way it already did for the
aws-sm://form.
resolve_value_from(used to build the actual ECS task definition,where ECS does understand the suffix) is untouched and unaffected.
Testing done
3 new unit tests, including the exact real-world ARN value that surfaced
the bug (
arn:aws:secretsmanager:us-east-1:903779448426:secret:oab/telegram/pahudxbot-AC80TP:TELEGRAM_BOT_TOKEN::)as a regression test.
Live E2E: re-ran
oabctl applyagainst the real manifest that hit thisbug (
TELEGRAM_BOT_TOKENas an ECS-native ARN). Before the fix:⚠ Telegram webhook registration failed (apply still succeeded): failed to resolve TELEGRAM_BOT_TOKEN. After:✓ Telegram webhook registered: Webhook was set.Update: addressed 2 code review findings
A review flagged two real gaps in the initial
split_ecs_json_key_suffix:arn:...:secret:mysecret::gets misparsed —mysecretis treated as a json-key, but it's actually part of the secret name (a full-secret-value reference with all suffix fields empty):<jsonKey>::— it's 3 positional fields (<json-key>:<version-stage>:<version-id>), unhandled hereBoth fixed:
:secret:marker in the ARN and treat everythingup to the next colon as the secret-name segment (which per AWS's docs
never itself contains a colon) — rather than blindly
rsplit-ing on thelast colon, which can't distinguish "secret name" from "json-key" when
the suffix fields are all empty.
error when version-stage/version-id is non-empty, instead of silently
falling through to "no suffix" (which would then fail later at
GetSecretValuewith a confusing, unrelated error).oabctl's own usecase — fetching a secret's plaintext value in-process to call a
third-party API — never needs to pin a rotation version, so this is an
intentional, documented limitation, not a missing feature to build out
further right now.
7 new tests added covering both findings, using AWS's own documented
example ARN shapes (key-only, version-stage-only, version-id-only,
key+version-stage). Re-verified live against the real manifest from the
original bug report — still resolves correctly, no regression.