From 908aced2a8f517fc22248eb7d8bbe0554b24f800 Mon Sep 17 00:00:00 2001
From: Jordan Gonzalez <30836115+duncanista@users.noreply.github.com>
Date: Tue, 31 Mar 2026 15:58:33 -0400
Subject: [PATCH] ci: migrate CI secrets from AWS SSM to Vault KV

Move secret retrieval in get_secrets.sh from aws ssm get-parameter to
vault kv get, aligning with the pattern used by datadog-lambda-js.
---
 ci/get_secrets.sh | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/ci/get_secrets.sh b/ci/get_secrets.sh
index 9d9c957c0..d854a9a40 100755
--- a/ci/get_secrets.sh
+++ b/ci/get_secrets.sh
@@ -21,21 +21,11 @@ fi
 
 printf "Getting AWS External ID...\n"
 
-EXTERNAL_ID=$(aws ssm get-parameter \
-    --region us-east-1 \
-    --name "ci.datadog-lambda-python.$EXTERNAL_ID_NAME" \
-    --with-decryption \
-    --query "Parameter.Value" \
-    --out text)
+EXTERNAL_ID=$(vault kv get -field="$EXTERNAL_ID_NAME" kv/k8s/gitlab-runner/datadog-lambda-python/secrets)
 
 printf "Getting DD API KEY...\n"
 
-export DD_API_KEY=$(aws ssm get-parameter \
-    --region us-east-1 \
-    --name ci.datadog-lambda-python.dd-api-key \
-    --with-decryption \
-    --query "Parameter.Value" \
-    --out text)
+export DD_API_KEY=$(vault kv get -field=dd-api-key kv/k8s/gitlab-runner/datadog-lambda-python/secrets)
 
 printf "Assuming role...\n"