Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(secretsmanager): SecretRotation for secret imported by name has incorrect permissions #18567

Merged
merged 2 commits into from
Jan 25, 2022

Conversation

njlynch
Copy link
Contributor

@njlynch njlynch commented Jan 20, 2022

The SecretRotation class currently always grants permissions to
secret.secretArn; the correct value actually should either by the
secretFullArn or secretPartialArn plus a suffix. This logic is currently
covered by SecretBase.arnForPolicies. I opted to copy the logic rather than
expose the member on both SecretBase and ISecret, but if more of these cases
rise up, that may be the right solution.

fixes #18424


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

…ncorrect permissions

The SecretRotation class currently always grants permissions to
`secret.secretArn`; the correct value actually should either by the
`secretFullArn` or `secretPartialArn` plus a suffix. This logic is currently
covered by `SecretBase.arnForPolicies`. I opted to copy the logic rather than
expose the member on both `SecretBase` and `ISecret`, but if more of these cases
rise up, that may be the right solution.

fixes #18424
@njlynch njlynch requested a review from a team January 20, 2022 18:01
@njlynch njlynch self-assigned this Jan 20, 2022
@gitpod-io
Copy link

gitpod-io bot commented Jan 20, 2022

@mergify
Copy link
Contributor

mergify bot commented Jan 25, 2022

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
  • Commit ID: 9ab397b
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 9ed263c into master Jan 25, 2022
@mergify mergify bot deleted the njlynch/fix-sm-rotation branch January 25, 2022 11:16
@mergify
Copy link
Contributor

mergify bot commented Jan 25, 2022

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

LukvonStrom pushed a commit to LukvonStrom/aws-cdk that referenced this pull request Jan 26, 2022
…ncorrect permissions (aws#18567)

The SecretRotation class currently always grants permissions to
`secret.secretArn`; the correct value actually should either by the
`secretFullArn` or `secretPartialArn` plus a suffix. This logic is currently
covered by `SecretBase.arnForPolicies`. I opted to copy the logic rather than
expose the member on both `SecretBase` and `ISecret`, but if more of these cases
rise up, that may be the right solution.

fixes aws#18424

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this pull request Feb 21, 2022
…ncorrect permissions (aws#18567)

The SecretRotation class currently always grants permissions to
`secret.secretArn`; the correct value actually should either by the
`secretFullArn` or `secretPartialArn` plus a suffix. This logic is currently
covered by `SecretBase.arnForPolicies`. I opted to copy the logic rather than
expose the member on both `SecretBase` and `ISecret`, but if more of these cases
rise up, that may be the right solution.

fixes aws#18424

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-secretsmanager Related to AWS Secrets Manager contribution/core This is a PR that came from AWS.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

(aws-secretsmanager):Partial arn generated in policy when addRotationSchedule used on imported Secret
3 participants