Skip to content

Commit

Permalink
fix(codebuild): Secret env variable as token from another account fai…
Browse files Browse the repository at this point in the history
…ls on Key decryption

fixes aws#14477
  • Loading branch information
Kruspe committed May 3, 2021
1 parent affaaad commit 4d03b79
Showing 1 changed file with 43 additions and 0 deletions.
43 changes: 43 additions & 0 deletions packages/@aws-cdk/aws-codebuild/test/test.project.ts
Original file line number Diff line number Diff line change
Expand Up @@ -1282,6 +1282,49 @@ export = {
test.done();
},

"when provided as a Token referencing a different account, adds permission to decrypt keys in the Secret's account"(test: Test) {
// GIVEN
const stack = new cdk.Stack();
const secretToken = cdk.Lazy.string({ produce: () => 'arn:aws:secretsmanager:us-west-2:901234567890:secret:mysecret' });

// WHEN
const secret = secretsmanager.Secret.fromSecretPartialArn(stack, 'Secret', secretToken);
new codebuild.PipelineProject(stack, 'Project', {
environmentVariables: {
'ENV_VAR1': {
type: codebuild.BuildEnvironmentVariableType.SECRETS_MANAGER,
value: secret.secretArn,
},
},
});

// THEN
expect(stack).to(haveResourceLike('AWS::IAM::Policy', {
'PolicyDocument': {
'Statement': arrayWith({
'Action': 'kms:Decrypt',
'Effect': 'Allow',
'Resource': {
'Fn::Join': [
'',
[
'arn:',
{ 'Ref': 'AWS::Partition' },
':kms:',
{ 'Fn::Select': [3, { 'Fn::Split': [':', 'arn:aws:secretsmanager:us-west-2:901234567890:secret:mysecret'] }] },
':',
{ 'Fn::Select': [4, { 'Fn::Split': [':', 'arn:aws:secretsmanager:us-west-2:901234567890:secret:mysecret'] }] },
':key/*',
],
],
},
}),
},
}));

test.done();
},

'can be provided as the ARN attribute of a new Secret, followed by a JSON key'(test: Test) {
// GIVEN
const stack = new cdk.Stack();
Expand Down

0 comments on commit 4d03b79

Please sign in to comment.