From 57541c8ab5a5e41f69a883f80965b6af760930c6 Mon Sep 17 00:00:00 2001 From: Loki Date: Wed, 13 May 2026 11:01:51 +0000 Subject: [PATCH 1/2] fix(bootstrap): drop leading slash from Secrets Manager names (closes #62) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenClaw's exec secret reference (exec:aws-sm:) requires the secret name to start with an alphanumeric character per its regex: /^[A-Za-z0-9][A-Za-z0-9._:/-]{0,255}$/ The previous docs instructed users to create '/faststart/telegram-bot-token', which AWS Secrets Manager accepts but causes the openclaw gateway to fail startup with SECRETS_RELOADER_DEGRADED. Changes: - BOOTSTRAP-TELEGRAM.md: rename secret to 'faststart/telegram-bot-token' in all 7 references, plus add an explanatory note on the constraint - BOOTSTRAP-PIPELINE-NOTIFICATIONS.md: same rename for telegram-bot-token and github-token references - BOOTSTRAP-CODING-GUIDELINES.md: update naming convention to clarify Secrets Manager (no leading slash) vs SSM Parameter Store (leading slash is fine) — these have different rules Reported by @maxberta-ait. --- .../essential/BOOTSTRAP-CODING-GUIDELINES.md | 7 ++++--- .../optional/BOOTSTRAP-PIPELINE-NOTIFICATIONS.md | 8 ++++---- bootstraps/telegram/BOOTSTRAP-TELEGRAM.md | 16 +++++++++------- 3 files changed, 17 insertions(+), 14 deletions(-) diff --git a/bootstraps/essential/BOOTSTRAP-CODING-GUIDELINES.md b/bootstraps/essential/BOOTSTRAP-CODING-GUIDELINES.md index d5f9221..89db96a 100644 --- a/bootstraps/essential/BOOTSTRAP-CODING-GUIDELINES.md +++ b/bootstraps/essential/BOOTSTRAP-CODING-GUIDELINES.md @@ -39,8 +39,8 @@ ## ✅ DOs **Secrets & Config** -- All secrets → AWS Secrets Manager (`/faststart//`) -- All config → SSM Parameter Store (`/faststart//`) +- All secrets → AWS Secrets Manager (`faststart//` — no leading `/`; some agents reject it) +- All config → SSM Parameter Store (`/faststart//` — leading `/` is fine here) - Lambda config injected via CFN `Environment.Variables` using `!Ref`/`!Sub` - Frontend config injected as `VITE_*` build vars from CodeBuild SSM params - Use `AWS::AccountId`, `AWS::Region`, `AWS::StackName` pseudo-refs in CFN @@ -75,7 +75,8 @@ - Resources: `{project}-{resource}` (e.g. `outline-alb`) - IAM roles: `{project}-{purpose}-role` - Security groups: `{project}-{layer}-sg` -- SSM params: `/faststart/{project}/{key}` +- Secrets: `faststart/{project}/{key}` (no leading slash — OpenClaw's exec secret reference rejects it) +- SSM params: `/faststart/{project}/{key}` (leading slash is the SSM convention) --- diff --git a/bootstraps/optional/BOOTSTRAP-PIPELINE-NOTIFICATIONS.md b/bootstraps/optional/BOOTSTRAP-PIPELINE-NOTIFICATIONS.md index 14c0361..f584e87 100644 --- a/bootstraps/optional/BOOTSTRAP-PIPELINE-NOTIFICATIONS.md +++ b/bootstraps/optional/BOOTSTRAP-PIPELINE-NOTIFICATIONS.md @@ -32,7 +32,7 @@ CodePipeline state change ```bash aws secretsmanager create-secret \ - --name /faststart/telegram-bot-token \ + --name faststart/telegram-bot-token \ --secret-string "YOUR_BOT_TOKEN" \ --region us-east-1 ``` @@ -51,7 +51,7 @@ const cp = new CodePipelineClient({ region: "us-east-1" }); const ssm = new SSMClient({ region: "us-east-1" }); const CHAT_ID = process.env.TELEGRAM_CHAT_ID; -const SECRET_NAME = "/faststart/telegram-bot-token"; +const SECRET_NAME = "faststart/telegram-bot-token"; const INSTANCE_ID = process.env.OPENCLAW_INSTANCE_ID; let cachedToken = null; @@ -156,7 +156,7 @@ The role needs: { "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", - "Resource": "arn:aws:secretsmanager:us-east-1:ACCOUNT_ID:secret:/faststart/telegram-bot-token-*" + "Resource": "arn:aws:secretsmanager:us-east-1:ACCOUNT_ID:secret:faststart/telegram-bot-token-*" }, { "Effect": "Allow", @@ -357,7 +357,7 @@ echo "Webhook URL: https://${API_ID}.execute-api.us-east-1.amazonaws.com/webhook ```bash export GH_TOKEN=$(aws secretsmanager get-secret-value \ - --secret-id /faststart/github-token --query SecretString --output text --region us-east-1) + --secret-id faststart/github-token --query SecretString --output text --region us-east-1) WEBHOOK_URL="https://API_ID.execute-api.us-east-1.amazonaws.com/webhook" diff --git a/bootstraps/telegram/BOOTSTRAP-TELEGRAM.md b/bootstraps/telegram/BOOTSTRAP-TELEGRAM.md index a107102..8c80295 100644 --- a/bootstraps/telegram/BOOTSTRAP-TELEGRAM.md +++ b/bootstraps/telegram/BOOTSTRAP-TELEGRAM.md @@ -21,18 +21,20 @@ Store it immediately in Secrets Manager — don't leave it in chat history: ```bash aws secretsmanager create-secret \ - --name /faststart/telegram-bot-token \ + --name faststart/telegram-bot-token \ --secret-string "YOUR_BOT_TOKEN_HERE" \ --region us-east-1 ``` +> **Note:** No leading `/` in the secret name. OpenClaw's exec secret reference (`exec:aws-sm:`) requires the name to start with an alphanumeric character; `/faststart/...` will fail gateway startup with a `SECRETS_RELOADER_DEGRADED` error. Slashes are allowed *inside* the name as separators. + ### Step 2: Get Your Telegram Chat ID Start a conversation with your new bot (send it any message). Then fetch your chat ID: ```bash BOT_TOKEN=$(aws secretsmanager get-secret-value \ - --secret-id /faststart/telegram-bot-token \ + --secret-id faststart/telegram-bot-token \ --query SecretString --output text --region us-east-1) curl -s "https://api.telegram.org/bot${BOT_TOKEN}/getUpdates" \ @@ -53,7 +55,7 @@ Add the Telegram channel to OpenClaw config. Ask Loki to run: ``` /config patch channels.telegram with: enabled: true - botToken: + botToken: dmPolicy: allowlist allowFrom: [YOUR_CHAT_ID] groupPolicy: allowlist @@ -64,7 +66,7 @@ Or use `openclaw config patch` directly: ```bash BOT_TOKEN=$(aws secretsmanager get-secret-value \ - --secret-id /faststart/telegram-bot-token \ + --secret-id faststart/telegram-bot-token \ --query SecretString --output text --region us-east-1) openclaw config patch <> ~/.hermes/.env @@ -148,7 +150,7 @@ Send your bot a message. You should get a response from the agent within a few s ```bash BOT_TOKEN=$(aws secretsmanager get-secret-value \ - --secret-id /faststart/telegram-bot-token \ + --secret-id faststart/telegram-bot-token \ --query SecretString --output text --region us-east-1) curl -s -X POST "https://api.telegram.org/bot${BOT_TOKEN}/sendMessage" \ @@ -285,7 +287,7 @@ To fetch the token from Secrets Manager: ```bash BOT_TOKEN=$(aws secretsmanager get-secret-value \ - --secret-id /faststart/telegram-bot-token \ + --secret-id faststart/telegram-bot-token \ --query SecretString --output text --region us-east-1) echo "TELEGRAM_BOT_TOKEN=${BOT_TOKEN}" >> ~/.ironclaw/.env From 7e1d2b8666b88b81b7f9d63fd3dced7ec7fd9971 Mon Sep 17 00:00:00 2001 From: Loki Date: Wed, 13 May 2026 11:08:12 +0000 Subject: [PATCH 2/2] fix(kiro-cli): drop leading slash from --from-secret example MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Same constraint as #62 — Secrets Manager names used as exec secret references must start with an alphanumeric character. Updating the install.sh help text so the example doesn't propagate the broken pattern. --- packs/kiro-cli/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packs/kiro-cli/install.sh b/packs/kiro-cli/install.sh index ab6e1a8..11fca13 100755 --- a/packs/kiro-cli/install.sh +++ b/packs/kiro-cli/install.sh @@ -58,7 +58,7 @@ Post-install authentication: Examples: ./install.sh ./install.sh --region eu-west-1 - ./install.sh --from-secret /faststart/kiro-api-key + ./install.sh --from-secret faststart/kiro-api-key SECURITY NOTE: Don't pass raw API keys on the command line. Store your key in AWS