Skip to content

(aws-secretsmanager):Partial arn generated in policy when addRotationSchedule used on imported Secret  #18424

New issue
New issue
Closed
#18567
Closed
(aws-secretsmanager):Partial arn generated in policy when addRotationSchedule used on imported Secret #18424
#18567
Labels
@aws-cdk/aws-secretsmanagerRelated to AWS Secrets ManagerbugThis issue is a bug.effort/smallSmall work item – less than a day of effortgood first issueRelated to contributions. See CONTRIBUTING.mdp1
@RaphaelManke

Description

@RaphaelManke
RaphaelManke
opened on Jan 14, 2022 · edited by RaphaelManke
Contributor

What is the problem?

Given a secret a is imported by Secret.fromSecretNamev2 and a rotation lambda is added by Secret.addRotationSchedule() the policy that is added to the lambda which grants the required permissions for updating the secret during rotation, is invalid because the ressource arn generated for the policy does not include the suffix -??????.
This results that the rotation lambda can not read or write the secret within the rotation process.

If the rotation lambda is added to a secret that is created by new Secret() the policy works as expected.

Reproduction Steps

const rotationLambda = new NodejsFunction(this, "RotationLambda")

const mysecret = Secret.fromSecretNameV2(this, 'Secret', 'mySecretName')

mysecret.addRotationSchedule('RotationSchedule', {
    rotationLambda: rotationLambda,
})

What did you expect to happen?

{
    "Action": [
      "secretsmanager:DescribeSecret",
      "secretsmanager:GetSecretValue",
      "secretsmanager:PutSecretValue",
      "secretsmanager:UpdateSecretVersionStage"
    ],
    "Resource": "arn:aws:secretsmanager:{Region}:{AccountId}:secret:mySecretName-??????",
    "Effect": "Allow"
  }

What actually happened?

{
    "Action": [
      "secretsmanager:DescribeSecret",
      "secretsmanager:GetSecretValue",
      "secretsmanager:PutSecretValue",
      "secretsmanager:UpdateSecretVersionStage"
    ],
    "Resource": "arn:aws:secretsmanager:<Region>:<AccountId>:secret:mySecretName",
    "Effect": "Allow"
  }

CDK CLI Version

2.3.0 (build beaa5b2)

Framework Version

No response

Node.js Version

v14.17.1

OS

macOS

Language

Typescript

Language Version

TypeSript (4.5.4)

Other information

I looked into the code and noticed that the RotationSchedule construct generates the policy and uses props.secret.secretArn

aws-cdk/packages/@aws-cdk/aws-secretsmanager/lib/rotation-schedule.ts

Line 95 in c7c51de

resources: [props.secret.secretArn],
which generates a partial arn without the required suffix in case of a secret that is imported by name.
In the case that a new secret is created this works because the attribute holds a Token that points to the full arn.

One possible fix could be to use the

aws-cdk/packages/@aws-cdk/aws-secretsmanager/lib/secret.ts

Line 389 in c7c51de

protected get arnForPolicies() {

function instead of the secretArn attribute which hopefully will return the correct arn. But this function is protected and therefore not useable.

I fixed it by adding an additional policy to the lambda with the same logic like the one from the protected function.

rotationLambda.addToRolePolicy(
    new PolicyStatement({
        actions: [
            'secretsmanager:DescribeSecret',
            'secretsmanager:GetSecretValue',
            'secretsmanager:PutSecretValue',
            'secretsmanager:UpdateSecretVersionStage',
        ],
        resources: [secret.secretFullArn ? secret.secretFullArn : `${secret.secretArn}-??????`],
    })
)

Activity

RaphaelManke
added
bugThis issue is a bug.
needs-triageThis issue or PR still needs to be triaged.
on Jan 14, 2022
github-actions
added
@aws-cdk/aws-secretsmanagerRelated to AWS Secrets Manager
on Jan 14, 2022
github-actions
assigned
njlynch
on Jan 14, 2022
ryparker
added
p2
and removed
needs-triageThis issue or PR still needs to be triaged.
on Jan 14, 2022
njlynch
added
effort/smallSmall work item – less than a day of effort
good first issueRelated to contributions. See CONTRIBUTING.md
p1
and removed
p2
on Jan 20, 2022
njlynch
added a commit that references this issue on Jan 20, 2022

fix(secretsmanager): SecretRotation for secret imported by name has i…

dea14ca
njlynch
mentioned this on Jan 20, 2022
njlynch
removed their assignment
on Jan 20, 2022
mergify
closed this as completedin #18567on Jan 25, 2022
mergify
added a commit that references this issue on Jan 25, 2022

fix(secretsmanager): SecretRotation for secret imported by name has i…

9ed263c

3 remaining items

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-secretsmanagerRelated to AWS Secrets ManagerbugThis issue is a bug.effort/smallSmall work item – less than a day of effortgood first issueRelated to contributions. See CONTRIBUTING.mdp1

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @njlynch@RaphaelManke@ryparker

      Issue actions
        (aws-secretsmanager):Partial arn generated in policy when addRotationSchedule used on imported Secret · Issue #18424 · aws/aws-cdk