Skip to content

Commit

Permalink
Update with tests for cross-account KMS key grant
Browse files Browse the repository at this point in the history
  • Loading branch information
@pergardebrink
pergardebrink committed Dec 17, 2023
1 parent aea48db commit aadaafc
Show file tree
Hide file tree
Showing 3 changed files with 350 additions and 63 deletions.
55 changes: 26 additions & 29 deletions packages/aws-cdk-lib/aws-lambda/test/params-and-secrets.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -433,6 +433,32 @@ describe('params and secrets', () => {
Ref: 'SecretA720EF05',
},
},
{
Action: 'kms:Decrypt',
Condition: {
StringEquals: {
'kms:ViaService': {
'Fn::Join': [
'',
[
'secretsmanager.',
{
Ref: 'AWS::Region',
},
'.amazonaws.com',
],
],
},
},
},
Effect: 'Allow',
Resource: {
'Fn::GetAtt': [
'Key961B73FD',
'Arn',
],
},
},
],
Version: '2012-10-17',
},
Expand Down Expand Up @@ -555,35 +581,6 @@ describe('params and secrets', () => {
},
Resource: '*',
},
{
Action: 'kms:Decrypt',
Condition: {
StringEquals: {
'kms:ViaService': {
'Fn::Join': [
'',
[
'secretsmanager.',
{
Ref: 'AWS::Region',
},
'.amazonaws.com',
],
],
},
},
},
Effect: 'Allow',
Principal: {
AWS: {
'Fn::GetAtt': [
'FunctionServiceRole675BB04A',
'Arn',
],
},
},
Resource: '*',
},
]),
},
});
Expand Down
2 changes: 1 addition & 1 deletion packages/aws-cdk-lib/aws-secretsmanager/lib/secret.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -382,7 +382,7 @@ abstract class SecretBase extends Resource implements ISecret {
if (this.encryptionKey) {
// @see https://docs.aws.amazon.com/kms/latest/developerguide/services-secrets-manager.html
this.encryptionKey.grantDecrypt(
new kms.ViaServicePrincipal(`secretsmanager.${Stack.of(this).region}.amazonaws.com`, grantee.grantPrincipal),
new kms.ViaServicePrincipal(`secretsmanager.${Stack.of(this).region}.amazonaws.com`, grantee.grantPrincipal)
);
}

Expand Down
Loading

0 comments on commit aadaafc

Please sign in to comment.