Skip to content

Commit

Permalink
fix(secretsmanager): fix cross-region policyArn for imported secrets
Browse files Browse the repository at this point in the history
  • Loading branch information
rv2673 committed Aug 19, 2023
1 parent 00a7f03 commit 5aef3cc
Show file tree
Hide file tree
Showing 2 changed files with 58 additions and 0 deletions.
2 changes: 2 additions & 0 deletions packages/aws-cdk-lib/aws-secretsmanager/lib/secret.ts
Original file line number Diff line number Diff line change
Expand Up @@ -601,6 +601,8 @@ export class Secret extends SecretBase {
public readonly secretName = parseSecretName(scope, secretArn);
protected readonly autoCreatePolicy = false;
public get secretFullArn() { return secretArnIsPartial ? undefined : secretArn; }
protected get arnForPolicies() { return secretArnIsPartial ? `${secretArn}-??????` : secretArn; }

}(scope, id, { environmentFromArn: secretArn });
}

Expand Down
56 changes: 56 additions & 0 deletions packages/aws-cdk-lib/aws-secretsmanager/test/secret.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -1390,3 +1390,59 @@ test('cross-environment grant with direct object reference', () => {
});

});

test('cross-environment grant with imported from completeArn', () => {
// GIVEN
const secretCompleteArn = 'arn:aws:secretsmanager:foobar:1111111111:secret:secret-name-suffix';
const producerStack = new cdk.Stack(app, 'ProducerStack', { env: { region: 'foo', account: '1111111111' } });
const consumerStack = new cdk.Stack(app, 'ConsumerStack', { env: { region: 'bar', account: '1111111111' } });
const secret = secretsmanager.Secret.fromSecretCompleteArn(producerStack, 'Secret', secretCompleteArn);
const role = new iam.Role(consumerStack, 'Role', { assumedBy: new iam.AccountRootPrincipal() });

// WHEN
secret.grantRead(role);

// THEN
Template.fromStack(consumerStack).hasResourceProperties('AWS::IAM::Policy', {
PolicyDocument: {
Version: '2012-10-17',
Statement: [{
Action: [
'secretsmanager:GetSecretValue',
'secretsmanager:DescribeSecret',
],
Effect: 'Allow',
Resource: secretCompleteArn,
}],
},
});

});

test('cross-environment grant with imported from partialArn', () => {
// GIVEN
const secretPartialArn = 'arn:aws:secretsmanager:foobar:1111111111:secret:secret-name';
const producerStack = new cdk.Stack(app, 'ProducerStack', { env: { region: 'foo', account: '1111111111' } });
const consumerStack = new cdk.Stack(app, 'ConsumerStack', { env: { region: 'bar', account: '1111111111' } });
const secret = secretsmanager.Secret.fromSecretPartialArn(producerStack, 'Secret', secretPartialArn);
const role = new iam.Role(consumerStack, 'Role', { assumedBy: new iam.AccountRootPrincipal() });

// WHEN
secret.grantRead(role);

// THEN
Template.fromStack(consumerStack).hasResourceProperties('AWS::IAM::Policy', {
PolicyDocument: {
Version: '2012-10-17',
Statement: [{
Action: [
'secretsmanager:GetSecretValue',
'secretsmanager:DescribeSecret',
],
Effect: 'Allow',
Resource: `${secretPartialArn}-??????`,
}],
},
});

});

0 comments on commit 5aef3cc

Please sign in to comment.