Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

secretsmanager: Cross region policy reference imported Secret has wildcard suffix on completeSecretArn #26811

Closed
rv2673 opened this issue Aug 18, 2023 · 2 comments · Fixed by #26813
Closed

secretsmanager: Cross region policy reference imported Secret has wildcard suffix on completeSecretArn #26811

rv2673 opened this issue Aug 18, 2023 · 2 comments · Fixed by #26813
Assignees
@mrgrain
Labels
@aws-cdk/aws-secretsmanager Related to AWS Secrets Manager bug This issue is a bug. effort/small Small work item – less than a day of effort p0

Comments

@rv2673
Copy link
Contributor

rv2673 commented Aug 18, 2023

Describe the bug

Pre 2.89.0 we could import a secret from a complete secret arn in one stack and reference this secret from another stack in a different region to include it in a policy/role through grantRead on the secret construct.

Since 2.89.0 the arn in the policy it treats the compleSecretArn as a partial arn adding -?????? which makes the policy invalid and not allowing access to the secret as intended.

Expected Behavior

If importing secret from a complete arn the arn used in policies should be complete arn and not include wildcard for matching a suffix. Which allows intended action by the policy.

Current Behavior

When referencing import secret construct from a cross-region stack the arn used in policies has wildcard suffix matcher appended which makes the referenced policy invalid for allowing intended action.

Reproduction Steps

  • Create cdk app with following stack
  • Create stack in one region which includes a Secret construct imported from a complete secret arn
  • Create stack in other region which includes Role which is granted access to the secret with grantRead on the secret construct
  • synthesis stack, and see additional role suffix.

Reproduction repository:
https://github.com/rv2673/aws-cdk-cross-region-secret-import-reproduction

Possible Solution

  • Override arnForPolicies in the class returned from fromSecretAttributes method on Secret construct.
  • Fix conditions in the _arnForPolicies Lazy.string implementation function

Additional Information/Context

No response

CDK CLI Version

2.92.0

Framework Version

No response

Node.js Version

18

OS

ubuntu

Language

Typescript

Language Version

No response

Other information

No response
@rv2673 rv2673 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 18, 2023
@github-actions github-actions bot added the @aws-cdk/aws-secretsmanager Related to AWS Secrets Manager label Aug 18, 2023
@rv2673 rv2673 mentioned this issue Aug 18, 2023
Merged
@peterwoodworth peterwoodworth added p0 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Aug 18, 2023
@rv2673 rv2673 mentioned this issue Aug 18, 2023
Merged
@peterwoodworth
Copy link
Contributor

Thanks for creating an issue for this and PR

@mrgrain mrgrain self-assigned this Aug 18, 2023
mrgrain added a commit to rv2673/aws-cdk that referenced this issue Aug 23, 2023
@mrgrain
Merge branch 'main' into fix/aws#26811-fix-cross-region-import-secret…
8d94045 
…-policy-arn
@mergify mergify bot closed this as completed in #26813 Aug 23, 2023
mergify bot pushed a commit that referenced this issue Aug 23, 2023
@rv2673
fix(secretsmanager): fix cross-region policy arn for imported secrets (
d5050ce 
…#26813)

Pre 2.89.0 we could import a secret from a complete secret arn in one stack and reference this secret from another stack in a different region to include it in a policy/role through grantRead on the secret construct.

Since 2.89.0 the arn in the policy it treats the compledSecretArn as a partial arn adding -?????? which makes the policy invalid and not allowing access to the secret as intended.

This PR fixes that by overriding arnForPolicies for imported secrets to either return provided complete arn or partial arn with suffix.

Fixes #26811.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot mentioned this issue Sep 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mrgrain mrgrain

Labels
@aws-cdk/aws-secretsmanager Related to AWS Secrets Manager bug This issue is a bug. effort/small Small work item – less than a day of effort p0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(secretsmanager): fix cross-region policy arn for imported secrets rv2673/aws-cdk
3 participants
@mrgrain @rv2673 @peterwoodworth