feat: support for credentials in AWS Secrets Manager

README.md

@@ -338,6 +338,17 @@ using [`os.ExpandEnv`](https://pkg.go.dev/os#ExpandEnv) at load time. The latter
 references of the form `$ENV_VAR_NAME` or `${ENV_VAR_NAME}` with the associated values from the
 environment.
 
+Additionally, the Amazon Resource Name (ARN) of a secret in AWS Secrets Manager can be provided
+as the secret. Topicctl will then retrieve the secret value from Secrets Manager and use it as
+the password. For example:
+```yaml
+sasl:
+    enabled: true
+    mechanism: SCRAM-SHA-512
+    username: my-username
+    password: arn:aws:secretsmanager:<Region>:<AccountId>:secret:SecretName
+```
+
 ### Topics
 
 Each topic is configured in a YAML file. The following is an

cmd/topicctl/subcmd/shared.go

@@ -3,9 +3,14 @@ package subcmd
 import (
 	"context"
 	"errors"
+	"fmt"
 	"os"
+	"strings"
 
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/arn"
 	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/secretsmanager"
 	"github.com/hashicorp/go-multierror"
 	"github.com/segmentio/topicctl/pkg/admin"
 	"github.com/segmentio/topicctl/pkg/config"
@@ -136,6 +141,25 @@ func (s sharedOptions) getAdminClient(
 			}
 		}
 
+		if strings.HasPrefix(s.saslPassword, "arn:aws:secretsmanager:") {
+			log.Debug("Fetching password from AWS secrets manager...")
+			sess := session.Must(session.NewSession())
+
+			svc := secretsmanager.New(sess, aws.NewConfig())
+
+			arn, err := arn.Parse(s.saslPassword)
+			if err != nil {
+				return nil, fmt.Errorf("failed to parse ARN from password: %v", err)
+			}
+
+			secretValue, err := svc.GetSecretValue(&secretsmanager.GetSecretValueInput{SecretId: aws.String(arn.Resource)})
+			if err != nil {
+				return nil, fmt.Errorf("failed to get secret value: %v", err)
+			}
+
+			s.saslPassword = *secretValue.SecretString
+		}
+
 		return admin.NewBrokerAdminClient(
 			ctx,
 			admin.BrokerAdminClientConfig{