-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(secretsmanager): SecretRotation for secret imported by name has incorrect permissions #18567
Conversation
…ncorrect permissions The SecretRotation class currently always grants permissions to `secret.secretArn`; the correct value actually should either by the `secretFullArn` or `secretPartialArn` plus a suffix. This logic is currently covered by `SecretBase.arnForPolicies`. I opted to copy the logic rather than expose the member on both `SecretBase` and `ISecret`, but if more of these cases rise up, that may be the right solution. fixes #18424
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
…ncorrect permissions (aws#18567) The SecretRotation class currently always grants permissions to `secret.secretArn`; the correct value actually should either by the `secretFullArn` or `secretPartialArn` plus a suffix. This logic is currently covered by `SecretBase.arnForPolicies`. I opted to copy the logic rather than expose the member on both `SecretBase` and `ISecret`, but if more of these cases rise up, that may be the right solution. fixes aws#18424 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
…ncorrect permissions (aws#18567) The SecretRotation class currently always grants permissions to `secret.secretArn`; the correct value actually should either by the `secretFullArn` or `secretPartialArn` plus a suffix. This logic is currently covered by `SecretBase.arnForPolicies`. I opted to copy the logic rather than expose the member on both `SecretBase` and `ISecret`, but if more of these cases rise up, that may be the right solution. fixes aws#18424 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The SecretRotation class currently always grants permissions to
secret.secretArn
; the correct value actually should either by thesecretFullArn
orsecretPartialArn
plus a suffix. This logic is currentlycovered by
SecretBase.arnForPolicies
. I opted to copy the logic rather thanexpose the member on both
SecretBase
andISecret
, but if more of these casesrise up, that may be the right solution.
fixes #18424
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license