-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(CodeBuild): Add KMS decrypt to policy for secrets imported by name #14477
Comments
Hey @Kruspe , why would the CodeBuild role need Thanks, |
Ah, OK. For some reason I thought we granted |
If the value of the SecretsManager env variable is a Token, doesn't it mean it's referencing a Secret from the same account? We only add the |
I do not think so. The Ref can also point to a secret in another account. The policy for secrets manager already works just Side note: Right now we add a resource for every token, meaning that tokens which are extended with |
Nope! That is not allowed in CloudFormation.
Gotta say, I'm not following this at all. Maybe you can create a draft Pull Request, and show me in a unit test what is the expected behavior?
Again, you lost me here. Another unit test in that draft PR? |
…ls on Key decryption fixes aws#14477
…ls on Key decryption fixes aws#14477
Alright draft is ready at #14483. Sorry for the confusion. I hope this clarifies things. :)
Does the PR clarify this for you?
Let's ignore the solution for now and focus on the use case I would say. |
Awesome, thanks! |
…ls on Key decryption fixes aws#14477
…ls on Key decryption fixes aws#14477
…ls on Key decryption fixes aws#14477
…ls on Key decryption fixes aws#14477
…ls on Key decryption fixes aws#14477
|
Following up on #14043 and #14226. I was thinking about also allowing the
kms:Decrypt
action for secrets that get provided viaToken
.aws-cdk/packages/@aws-cdk/aws-codebuild/lib/project.ts
Lines 766 to 773 in e31587a
Since we already assume that the value is an Arn, we could parse it and then create an Arn for the kms key with the wildcard and add it to the set of
kmsIamResources
.If this is worth implementing I can create the PR. :)
Environment
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: