Skip to content

feat(secrets): auto-extract API key from JSON-structured Secrets Manager secrets#1146

Open
litianningdatadog wants to merge 2 commits intomainfrom
tianning.li/SVLS-8755-arn-secret-key
Open

feat(secrets): auto-extract API key from JSON-structured Secrets Manager secrets#1146
litianningdatadog wants to merge 2 commits intomainfrom
tianning.li/SVLS-8755-arn-secret-key

Conversation

@litianningdatadog
Copy link
Copy Markdown
Contributor

@litianningdatadog litianningdatadog commented Mar 31, 2026
edited
Loading

Summary

  • When DD_API_KEY_SECRET_ARN is set and the fetched secret is a JSON object, automatically extract the dd_api_key field as the API key
  • Falls back to the raw secret string if the value is not valid JSON or the dd_api_key field is absent — preserving existing behavior for plain-string secrets
  • No new environment variable introduced; the JSON key name is hardcoded as dd_api_key

Test Plan

  • Unit tests cover JSON extraction (dd_api_key present), fallback to raw (key absent), and plain string secrets
  • Verify with a real Secrets Manager secret in JSON format: {"dd_api_key": "<your-key>"}
  • Verify plain-string secrets continue to work unchanged
  • Integration test using test function, secret in Json and secret in plain text. The positive and negative tests all performed as expected.

@litianningdatadog litianningdatadog marked this pull request as ready for review March 31, 2026 22:12
@litianningdatadog litianningdatadog requested a review from a team as a code owner March 31, 2026 22:12
Copilot AI reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for JSON-structured Secrets Manager secrets by introducing a new DD_API_KEY_SECRET_JSON_KEY environment variable. When set alongside DD_API_KEY_SECRET_ARN, the extension parses the secret value as JSON and extracts the named field as the API key, addressing the need for teams that store secrets in key/value format (e.g., {"apiKey": "<key>"}).

Changes:

  • Added JSON extraction logic to decrypt_aws_sm() function that parses secrets as JSON when json_key is provided
  • Added api_key_secret_json_key field to all three config layers (Config, EnvConfig, YamlConfig) with proper merge logic
  • Added three unit tests covering successful extraction, missing key error handling, and backward compatibility with plain secrets
  • Updated configuration examples in YAML and environment config tests

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
bottlecap/src/secrets/decrypt.rs Added JSON extraction logic with new json_key parameter; includes three new unit tests
bottlecap/src/config/mod.rs Added api_key_secret_json_key field to Config struct and its Default impl
bottlecap/src/config/env.rs Added api_key_secret_json_key field to EnvConfig with documentation; updated merge logic and test fixtures
bottlecap/src/config/yaml.rs Added api_key_secret_json_key field to YamlConfig; updated merge logic, example YAML config, and test fixtures

duncanista
duncanista reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@duncanista duncanista left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Honestly, not super happy about having a new env var just for this, we should talk as a team if this is something we want to actually support

@litianningdatadog
Copy link
Copy Markdown
Contributor Author

litianningdatadog commented Apr 1, 2026
edited
Loading

Honestly, not super happy about having a new env var just for this, we should talk as a team if this is something we want to actually support

I think the user makes a valid point for below reasons:

  • The AWS UI makes key-value support intuitive.
  • Supporting key-value pairs would make secrets more versatile, rather than limiting them to a single purpose.

Without introducing a new key, I do not think there is a better candidate for this.

@litianningdatadog litianningdatadog force-pushed the tianning.li/SVLS-8755-arn-secret-key branch from 47611b4 to 055a5f2 Compare April 1, 2026 14:27
@litianningdatadog @claude
feat(secrets): auto-extract API key from JSON-structured Secrets Mana…
d5c7644 
…ger secrets

When DD_API_KEY_SECRET_ARN is set and the fetched secret is a JSON object,
automatically extract the value of the hardcoded "dd_api_key" field as the API key.
Falls back to using the raw secret string if the value is not valid JSON or the
"dd_api_key" field is absent, preserving existing behavior for plain-string secrets.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@litianningdatadog litianningdatadog force-pushed the tianning.li/SVLS-8755-arn-secret-key branch from 055a5f2 to d5c7644 Compare April 1, 2026 18:45
@litianningdatadog litianningdatadog changed the title [SVLS-8755] feat(secrets): support JSON-structured Secrets Manager secrets feat(secrets): auto-extract API key from JSON-structured Secrets Manager secrets Apr 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@duncanista duncanista duncanista left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@litianningdatadog @duncanista