Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

secrets: addRotationSchedule() with fromSecretNameV2() does not create correct iam policy for lambda #28308

Closed
pahud opened this issue Dec 8, 2023 · 2 comments · Fixed by #28379
Closed

secrets: addRotationSchedule() with fromSecretNameV2() does not create correct iam policy for lambda #28308

pahud opened this issue Dec 8, 2023 · 2 comments · Fixed by #28379
Labels
bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Comments

@pahud
Copy link
Contributor

pahud commented Dec 8, 2023
edited
Loading

Describe the bug

Given the code:

    const alertsServiceCredentials = new secrets.Secret(this, `secret-rotated`, {
      generateSecretString: {
        secretStringTemplate: JSON.stringify({
          username: 'service_rw_',
          engine: 'mysql',
          host: 'dummy-host',
          port: '3306',
          dbname: 'dummy-db'
        }),
        generateStringKey: 'password'
      }
    });

    let adminLogin = secrets.Secret.fromSecretNameV2(this, 'lookup-admin-login', 'MySecret');

    const schedule = alertsServiceCredentials.addRotationSchedule(
      'rotation-schedule',
      {
        automaticallyAfter: Duration.days(30),
        hostedRotation: secrets.HostedRotation.mysqlMultiUser({
          vpc,
          masterSecret: adminLogin
        }),
      }
    );

This will create an IAM policy statement for lambda that only allows to GetSecretValue on partial secret arn without trailing 6 characters hence permission denied.

{
    "Statement": [
        {
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "arn:aws:secretsmanager:us-east-1:123456789012:secret:MySecret",
            "Effect": "Allow"
        }
    ]
}

Expected Behavior

should render correct IAM policy statement

Current Behavior

does not render correct IAM policy statement for Lambda role.

Reproduction Steps

see the code above

Possible Solution

  1. use fromSecretCompleteArn() to generate full secret arn in the iam policy
  2. use escape hatches to append -?????? to the ARN

For example

    const schedule = alertsServiceCredentials.addRotationSchedule(
      'rotation-schedule',
      {
        automaticallyAfter: Duration.days(30),
        hostedRotation: secrets.HostedRotation.mysqlMultiUser({
          vpc,
          masterSecret: adminLogin
        }),
      }
    );

    const cfnRotationSchedule = schedule.node.tryFindChild('Resource') as secrets.CfnRotationSchedule
    cfnRotationSchedule.addPropertyOverride('HostedRotationLambda.MasterSecretArn', `${adminLogin.secretArn}-??????`)

And when you run cdk diff we should see this

Resources
[~] AWS::SecretsManager::RotationSchedule secret-rotated/rotation-schedule secretrotatedrotationscheduleFF5ED1F3 
 └─ [~] HostedRotationLambda
     └─ [~] .MasterSecretArn:
         ├─ [-] arn:aws:secretsmanager:us-east-1:123456789012:secret:MySecret
         └─ [+] arn:aws:secretsmanager:us-east-1:123456789012:secret:MySecret-??????

Additional Information/Context

No response

CDK CLI Version

2.113.0

Framework Version

No response

Node.js Version

v18.16.0

OS

mac

Language

TypeScript

Language Version

No response

Other information

No response
@pahud pahud added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Dec 8, 2023
@pahud
Copy link
Contributor Author

pahud commented Dec 8, 2023

ticket V1146438482

@go-to-k go-to-k mentioned this issue Dec 15, 2023
Merged
@mergify mergify bot closed this as completed in #28379 Dec 20, 2023
mergify bot pushed a commit that referenced this issue Dec 20, 2023
@go-to-k
fix(secretsmanager): hosted rotation with fromSecretNameV2() does not…
4ab5bb2 
… create correct iam policy (#28379)

In the case for a hosted rotation with a master secret by `fromSecretNameV2()`, IAM policy for lambda is not correct.

The secret by the method has a partial ARN, so a generated IAM policy should use an ARN with `'-??????'`, but it will not use the ARN.

Closes #28308.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot mentioned this issue Jan 1, 2024
Closed
paulhcsun pushed a commit to paulhcsun/aws-cdk that referenced this issue Jan 5, 2024
@go-to-k @paulhcsun
fix(secretsmanager): hosted rotation with fromSecretNameV2() does not…
1bf5fb1 
… create correct iam policy (aws#28379)

In the case for a hosted rotation with a master secret by `fromSecretNameV2()`, IAM policy for lambda is not correct.

The secret by the method has a partial ARN, so a generated IAM policy should use an ARN with `'-??????'`, but it will not use the ARN.

Closes aws#28308.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
Milestone
No milestone
1 participant
@pahud