AWS Secrets Manager: Full ARN format causes "invalid port" URL parsing error #909
Description
Problem
When using a full AWS Secrets Manager ARN with ref+awssecrets:// in vals, the tool reports an error similar to:
invalid port ":secret" after host
This is triggered by Go's url.Parse, which misinterprets the multiple colons in an ARN as a port indicator rather than part of the identifier.
How to Reproduce
- Create an AWS secret with an ARN like:
arn:aws:secretsmanager:us-east-1:123456789012:secret:/demo/app/database - Attempt to retrieve it from vals using:
ref+awssecrets://arn:aws:secretsmanager:us-east-1:123456789012:secret:/demo/app/database? region=us-east-1 - Run vals (e.g.,
vals eval ...) and observe the error.
Expected Behavior
Vals should support ARN-based URIs for cross-account secrets as described in the documentation. Reference URIs using the full ARN should not cause a port parsing error.
Actual Behavior
A port parsing error occurs when vals processes the full ARN.
Workaround
Use the normalized path format as a workaround:
ref+awssecrets:///demo/app/database?region=us-east-1
This does not help in cross-account scenarios where the full ARN is required.
Suggested Solution
Implement special handling for ARN URIs (e.g., URL-encode or use a custom parser) to prevent colons from being misinterpreted by Go's URL parser.
Technical Reference
vals.go, line 342, usesurl.Parse(key)which fails on full ARNs- Documentation examples encourage ARN usage but it is currently broken
Environment
- vals version: latest
- OS: Linux
- Go version: (any)
Additional Context
The documentation gives this as a valid ARN-style URI:
ref+awssecrets://arn:aws:secretsmanager:us-east-1:123456789012:secret:/demo/app/database?region=us-east-1
But the parsing implementation does not handle it as intended.