fix(filemanager): ignore transient secret errors (#981)

mmalenic · web-flow · commit db7a9ab94e24 · 2025-05-01T02:30:17.000Z
* fix(filemanager): ignore transient errors and print error message better if it does occur

* fix(filemanager): add DescribeSecret permission for Lambda role
diff --git a/lib/workload/stateless/stacks/filemanager/deploy/constructs/functions/api.ts b/lib/workload/stateless/stacks/filemanager/deploy/constructs/functions/api.ts
@@ -36,7 +36,7 @@ export class ApiFunction extends fn.Function {
     // Allow access to the access key secret.
     this.role.addToPolicy(
       new PolicyStatement({
-        actions: ['secretsmanager:GetSecretValue'],
+        actions: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'],
         resources: [`${props.accessKeySecretArn}-*`],
       })
     );
diff --git a/lib/workload/stateless/stacks/filemanager/filemanager/src/clients/aws/secrets_manager.rs b/lib/workload/stateless/stacks/filemanager/filemanager/src/clients/aws/secrets_manager.rs
@@ -6,7 +6,10 @@ use crate::error::Error::{ParseError, SecretsManagerError};
 use crate::error::Result;
 use aws_credential_types::provider::ProvideCredentials;
 use aws_credential_types::{provider, Credentials};
+use aws_sdk_s3::error::SdkError;
 use aws_sdk_secretsmanager as secretsmanager;
+use aws_sdk_secretsmanager::error::DisplayErrorContext;
+use aws_sdk_secretsmanager::operation::get_secret_value::GetSecretValueError;
 use aws_secretsmanager_caching::output::GetSecretValueOutputDef;
 use aws_secretsmanager_caching::SecretsManagerCachingClient;
 use base64::prelude::Engine;
@@ -38,7 +41,7 @@ impl Client {
             secretsmanager::config::Builder::from(&config),
             NonZeroUsize::new(1).expect("valid non-zero usize"),
             Duration::from_secs(900),
-            false,
+            true,
         )
         .await
         .map_err(|err| SecretsManagerError(err.to_string()))?;
@@ -89,10 +92,16 @@ impl ProvideCredentials for SecretsManagerCredentials {
 impl SecretsManagerCredentials {
     /// Construct the credentials from the secret.
     pub async fn new(id: &str, client: &Client) -> Result<Self> {
-        let secret = client
-            .get_secret(id)
-            .await
-            .map_err(|err| SecretsManagerError(format!("no valid secret {}: {}", id, err)))?;
+        let secret = client.get_secret(id).await.map_err(|err| {
+            let sdk_err: Option<&SdkError<GetSecretValueError>> = err.downcast_ref();
+            let display_err = if let Some(err) = sdk_err {
+                DisplayErrorContext(&err).to_string()
+            } else {
+                err.to_string()
+            };
+
+            SecretsManagerError(format!("no valid secret {}: {}", id, display_err))
+        })?;
 
         let secret = if let Some(string) = secret.secret_string {
             from_str(&string)?
