improve performance with list, fix docs

Author: jszobody

docs/guide/installation.md

@@ -24,7 +24,7 @@ alias keep="./vendor/bin/keep"
 
 ## Global Installation (Optional)
 
-If you don't plan to use any framework integration, you can install Keep globally:
+If you don't plan to use any framework integration, you can install Keep globally and use it as a standalone CLI tool across all your projects.
 
 ```bash
 composer global require stechstudio/keep

docs/guide/vaults/aws-secrets-manager.md

@@ -72,7 +72,10 @@ For developers who need complete access to manage secrets across all environment
     {
       "Sid": "ListSecretsAccountWide",
       "Effect": "Allow",
-      "Action": "secretsmanager:ListSecrets",
+      "Action": [
+        "secretsmanager:ListSecrets",
+        "secretsmanager:BatchGetSecretValue"
+      ],
       "Resource": "*"
     },
     {
@@ -117,17 +120,17 @@ For developers who should only access development and staging environments:
   "Version": "2012-10-17",
   "Statement": [
     {
-      "Sid": "ReadWriteDevStagingSecrets",
+      "Sid": "ReadWriteMyAppStagingAndProd",
       "Effect": "Allow",
       "Action": [
         "secretsmanager:GetSecretValue",
-        "secretsmanager:BatchGetSecretValue",
         "secretsmanager:DescribeSecret",
         "secretsmanager:ListSecretVersionIds",
         "secretsmanager:PutSecretValue",
         "secretsmanager:UpdateSecret",
         "secretsmanager:UpdateSecretVersionStage",
         "secretsmanager:DeleteSecret",
+        "secretsmanager:RestoreSecret",
         "secretsmanager:TagResource",
         "secretsmanager:UntagResource"
       ],
@@ -138,27 +141,24 @@ For developers who should only access development and staging environments:
           "secretsmanager:ResourceTag/Namespace": "myapp"
         },
         "ForAnyValue:StringEquals": {
-          "secretsmanager:ResourceTag/Stage": ["development", "staging"]
+          "secretsmanager:ResourceTag/Stage": [
+            "staging",
+            "production"
+          ]
         }
       }
     },
     {
-      "Sid": "ListOnlyMyAppDevStagingSecrets",
+      "Sid": "ListSecretsAccountWide",
       "Effect": "Allow",
-      "Action": "secretsmanager:ListSecrets",
-      "Resource": "*",
-      "Condition": {
-        "StringEquals": {
-          "secretsmanager:ResourceTag/ManagedBy": "Keep",
-          "secretsmanager:ResourceTag/Namespace": "myapp"
-        },
-        "ForAnyValue:StringEquals": {
-          "secretsmanager:ResourceTag/Stage": ["development", "staging"]
-        }
-      }
+      "Action": [
+        "secretsmanager:ListSecrets",
+        "secretsmanager:BatchGetSecretValue"
+      ],
+      "Resource": "*"
     },
     {
-      "Sid": "CreateSecretsInDevStaging",
+      "Sid": "CreateSecretsInStagingAndProd",
       "Effect": "Allow",
       "Action": "secretsmanager:CreateSecret",
       "Resource": "*",
@@ -168,28 +168,18 @@ For developers who should only access development and staging environments:
           "aws:RequestTag/Namespace": "myapp"
         },
         "ForAnyValue:StringEquals": {
-          "aws:RequestTag/Stage": ["development", "staging"]
+          "aws:RequestTag/Stage": [
+            "staging",
+            "production"
+          ]
         },
         "ForAllValues:StringEquals": {
-          "aws:TagKeys": ["ManagedBy", "Namespace", "Stage", "VaultSlug"]
-        }
-      }
-    },
-    {
-      "Sid": "DenyProductionAccess",
-      "Effect": "Deny",
-      "Action": [
-        "secretsmanager:GetSecretValue",
-        "secretsmanager:BatchGetSecretValue",
-        "secretsmanager:DescribeSecret",
-        "secretsmanager:PutSecretValue",
-        "secretsmanager:UpdateSecret",
-        "secretsmanager:DeleteSecret"
-      ],
-      "Resource": "*",
-      "Condition": {
-        "StringEquals": {
-          "secretsmanager:ResourceTag/Stage": "production"
+          "aws:TagKeys": [
+            "ManagedBy",
+            "Namespace",
+            "Stage",
+            "VaultSlug"
+          ]
         }
       }
     },
@@ -216,45 +206,26 @@ For production deployment processes that only need to read production secrets:
   "Version": "2012-10-17",
   "Statement": [
     {
-      "Sid": "ReadOnlyProductionSecrets",
+      "Sid": "ReadOnlyMyAppProduction",
       "Effect": "Allow",
       "Action": [
         "secretsmanager:GetSecretValue",
-        "secretsmanager:BatchGetSecretValue",
         "secretsmanager:DescribeSecret"
       ],
       "Resource": "*",
       "Condition": {
         "StringEquals": {
-          "secretsmanager:ResourceTag/ManagedBy": "Keep",
           "secretsmanager:ResourceTag/Namespace": "myapp",
           "secretsmanager:ResourceTag/Stage": "production"
         }
       }
     },
     {
-      "Sid": "ListOnlyProductionSecrets",
+      "Sid": "ListSecretsAccountWide",
       "Effect": "Allow",
-      "Action": "secretsmanager:ListSecrets",
-      "Resource": "*",
-      "Condition": {
-        "StringEquals": {
-          "secretsmanager:ResourceTag/ManagedBy": "Keep",
-          "secretsmanager:ResourceTag/Namespace": "myapp",
-          "secretsmanager:ResourceTag/Stage": "production"
-        }
-      }
-    },
-    {
-      "Sid": "DenyWriteOperations",
-      "Effect": "Deny",
       "Action": [
-        "secretsmanager:CreateSecret",
-        "secretsmanager:PutSecretValue",
-        "secretsmanager:UpdateSecret",
-        "secretsmanager:DeleteSecret",
-        "secretsmanager:TagResource",
-        "secretsmanager:UntagResource"
+        "secretsmanager:ListSecrets",
+        "secretsmanager:BatchGetSecretValue"
       ],
       "Resource": "*"
     },

src/Vaults/AwsSecretsManagerVault.php

@@ -82,7 +82,7 @@ public function list(): SecretCollection
 
             do {
                 $params = [
-                    'MaxResults'             => 100, // AWS Secrets Manager max
+                    'MaxResults'             => 20,
                     'Filters'                => [
                         [
                             'Key'    => 'tag-key',
@@ -116,14 +116,10 @@ public function list(): SecretCollection
                     $params['NextToken'] = $nextToken;
                 }
 
-                $result = $this->client()->listSecrets($params);
+                $result = $this->client()->batchGetSecretValue($params);
 
-                foreach ($result->get('SecretList') as $secret) {
+                foreach ($result->get('SecretValues') as $secret) {
                     $secretName = $secret['Name'];
-                    $currentVersion = Arr::first(
-                        array_keys($secret['SecretVersionsToStages']),
-                        fn($key) => in_array('AWSCURRENT', $secret['SecretVersionsToStages'][$key] ?? [], true)
-                    );
 
                     // Extract the key from the full secret name using the expected format
                     $expectedPrefix = Keep::getNamespace().'/'.$this->stage.'/';
@@ -142,29 +138,16 @@ public function list(): SecretCollection
                         continue;
                     }
 
-                    // Get the actual secret value
-                    try {
-                        $secretValue = $this->client()->getSecretValue([
-                            'SecretId' => $secretName,
-                        ]);
-
-                        $value = $secretValue->get('SecretString');
-                        $isSecure = true; // AWS Secrets Manager always encrypts
-
-                        $secrets->push(Secret::fromVault(
-                            key: $key,
-                            value: $value,
-                            encryptedValue: null,
-                            secure: $isSecure,
-                            stage: $this->stage,
-                            revision: $currentVersion,
-                            path: $secretName,
-                            vault: $this,
-                        ));
-                    } catch (SecretsManagerException $e) {
-                        // Skip secrets we can't read (permission issues, etc.)
-                        continue;
-                    }
+                    $secrets->push(Secret::fromVault(
+                        key: $key,
+                        value: $secret['SecretString'] ?? null,
+                        encryptedValue: null,
+                        secure: true,
+                        stage: $this->stage,
+                        revision: $secret['VersionId'] ?? 1,
+                        path: $secretName,
+                        vault: $this,
+                    ));
                 }
 
                 $nextToken = $result->get('NextToken');
@@ -336,7 +319,7 @@ public function history(string $key, FilterCollection $filters, ?int $limit = 10
                     $histories->push(new SecretHistory(
                         key: $key,
                         value: $secretValue->get('SecretString'),
-                        version: intval($version['VersionId'] ?? 1),
+                        version: $version['VersionId'] ?? 1,
                         lastModifiedDate: isset($version['CreatedDate']) ? Carbon::parse($version['CreatedDate']) : null,
                         lastModifiedUser: null, // AWS Secrets Manager doesn't track user info
                         dataType: 'SecretString',

src/Vaults/AwsSsmVault.php

@@ -51,10 +51,6 @@ public static function configure(array $existingSettings = []): array
 
     public function format(?string $key = null): string
     {
-        if (is_callable($this->keyFormatter)) {
-            return call_user_func($this->keyFormatter, $key, $this->stage, $this->config);
-        }
-
         return Str::of($this->config['prefix'] ?? '')
             ->start('/')->finish('/')
             ->append(Keep::getNamespace().'/')

tests/Support/TestVault.php

@@ -108,8 +108,7 @@ public function format(?string $key = null): string
             return sprintf('/%s/%s/', $this->config['namespace'] ?? 'test-app', $this->stage);
         }
 
-        $formatter = $this->keyFormatter ?? fn ($k) => strtoupper($k);
-        $formattedKey = call_user_func($formatter, $key);
+        $formattedKey = strtoupper($key);
 
         return sprintf('/%s/%s/%s', $this->config['namespace'] ?? 'test-app', $this->stage, $formattedKey);
     }