-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(secretsmanager ): grant_read/grant_write on secret throws KMS key error on role from same account #15450
Comments
Hi @mooiweer , I am not able to reproduce this error if I use a However, I can reproduce the error if I supply an ARN such as: "arn:aws:iam::123456789012:role/MyRole-AJJHDSKSDF" where the account id inside the ARN does not match the account id of my stack's environment. Can you please verify that the ARN of the role is in fact in the same account that your stack environment is using? |
I'm experiencing the same issue. In my case the ARN of the role is stored in the parameter store. This is indeed introduced in version 1.111.0. The ARN of the role is the same as the account deployed to, but my best bet is that CDK can't tell because it doesn't actively pull it from SSM. |
Thanks for the extra detail, @nwouda. This seems to be a case where the CDK is performing validation in some cases where we can't actually know the value, like referencing an ARN in SSM. And agreed this is probably a regression introduced in 1.111.0. Despite it being a regression, I am going to triage as a p2 since customers have a workaround which is to explicitly add to the role's policy instead of using the |
@nwouda and @mooiweer if either of you are interesting in fixing this yourself, please take a look at the contributing guide. |
I am affected by this, and I believe the issue was introduced with this commit: |
…cess (#17812) Fix for #15450 Previous code did not check if the account IDs were the different. This checks if CDK is able to resolve the account ids and they are different then fail otherwise let the user create a secret. FYI first PR. Let me know if there is something that I missed. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This can be closed was fixed in https://github.com/aws/aws-cdk/releases/tag/v1.140.0 |
|
…cess (aws#17812) Fix for aws#15450 Previous code did not check if the account IDs were the different. This checks if CDK is able to resolve the account ids and they are different then fail otherwise let the user create a secret. FYI first PR. Let me know if there is something that I missed. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Giving a preexisting role read/write access to a secret using the grant_read/grant_write method on a secret throws the error:
"KMS Key must be provided for cross account access to Secret"
Even though both secret and role are from the same AWS account.
Reproduction Steps
Use an existing role and create a new secret
Give it read/write access
What did you expect to happen?
I expect the created secret to be created with read and write rights added to the existing role.
What actually happened?
CDK deploy throws an error:
KMS Key must be provided for cross account access to Secret
Even though both the (pre-existing) and the secret are on the same AWS account
Environment
Other
This worked before version 1.111.0
Workaround:
I think it was introduced by this commit:
ea40cfe
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: