in source/lambda/secrets-manager-metadata/lambda_function.py [0:0]
def _get_key_arn_for_secret(secret_arn):
'''
There are some requirements when using SCRAM authentication with Amazon MSK:
https://docs.aws.amazon.com/msk/latest/developerguide/msk-password.html#msk-password-limitations
This custom resource checks for those limitations, and returns the KmsKeyId
(which will be used on the Lambda role policy).
'''
describe_response = client_secrets_manager.describe_secret(SecretId=secret_arn)
if not describe_response['Name'].startswith('AmazonMSK_'):
raise Exception('The name of secrets associated with an Amazon MSK cluster must have the prefix AmazonMSK_')
if not 'KmsKeyId' in describe_response:
raise Exception('You cannot use a Secret that uses the default Secrets Manager encryption key with Amazon MSK')
return describe_response['KmsKeyId']