-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(codebuild): Secret env variable from another account fails on Key decryption #14226
Conversation
Thanks for the contribution @Kruspe!
It's actually very easy to write tests in the CDK for cross-account usecases - they look exactly like other unit tests, you just provide different account numbers when creating the Stacks. Here's a simple example from the CodePipeline tests: aws-cdk/packages/@aws-cdk/aws-codepipeline-actions/test/pipeline.test.ts Lines 966 to 1049 in 8a949dc
|
226792c
to
3854465
Compare
@skinny85 thanks for the hint! Should be ready for review now. |
When providing a secretArn from a another account for the EnvironmentVariables allow kms:Decrypt action for any key. This enables CodeBuild to get the secret without any further policy changes by the user. fixes aws#14043
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great @Kruspe! Couple of minor changes before we merge this in. Thanks for the contribution!
Use Token.compareStrings to be able to compare the accounts in a better way and handle tokens.
When providing two different secrets from another account we only want to add the kms:Decrypt option for one resource since it already contains a wildcard
Alright. Thanks for the suggestions. I think all of them are valid and they are now implemented. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks awesome @Kruspe, thanks so much for the contribution!
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
… decryption (aws#14226) When providing a secretArn for the EnvironmentVariables allow kms:Decrypt action for any key so that CodeBuild is able to get secrets that are stored in different accounts. fixes aws#14043 ---- @skinny85 I didn't implement the if statement we talked about to check weither the secret actually lives in another account, since I wasn't able to come up with a good test for that. Any suggestions on this? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
… decryption (aws#14226) When providing a secretArn for the EnvironmentVariables allow kms:Decrypt action for any key so that CodeBuild is able to get secrets that are stored in different accounts. fixes aws#14043 ---- @skinny85 I didn't implement the if statement we talked about to check weither the secret actually lives in another account, since I wasn't able to come up with a good test for that. Any suggestions on this? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
When providing a secretArn for the EnvironmentVariables allow kms:Decrypt
action for any key so that CodeBuild is able to get secrets that are stored
in different accounts.
fixes #14043
@skinny85 I didn't implement the if statement we talked about to check weither the secret actually lives in another account, since I wasn't able to come up with a good test for that. Any suggestions on this?
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license