Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

secretsmanager.Secret: Add grantReadAndDescribe() function #7953

Closed
GrahamLea opened this issue May 13, 2020 · 1 comment · Fixed by #8409
Closed

secretsmanager.Secret: Add grantReadAndDescribe() function #7953

GrahamLea opened this issue May 13, 2020 · 1 comment · Fixed by #8409
Assignees
@skinny85
Labels
@aws-cdk/aws-secretsmanager Related to AWS Secrets Manager feature-request A feature should be added or improved. good first issue Related to contributions. See CONTRIBUTING.md

Comments

@GrahamLea
Copy link
Contributor

GrahamLea commented May 13, 2020
edited
Loading

The Secret.grantRead() should be accompanied by an analogous grantReadAndDescribe() function.

Use Case

aws/aws-secretsmanager-caching-java requires permission to execute the DescribeSecret action to perform its function.

When just using Secret.grantRead(), the SecretCache fails to access the secret:

com.amazonaws.services.secretsmanager.model.AWSSecretsManagerException: User: arn:aws:sts::SNIP:assumed-role/SNIP is not authorized to perform: secretsmanager:DescribeSecret on resource: arn:aws:secretsmanager:SNIP:SNIP:secret:/SNIP (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: SNIP)

There is currently no obvious way to grant DescribeSecret as well as GetSecretValue.

The same can be achieved relatively simply with IAM calls (see below), but the function would be nicer.

This is a 🚀 Feature Request
@GrahamLea GrahamLea added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels May 13, 2020
@GrahamLea
Copy link
Contributor Author

GrahamLea commented May 13, 2020
edited
Loading

Looks like this will probably do the trick:

        instance.role.addToPolicy(PolicyStatement.Builder.create()
            .resources(listOf(secret.secretArn))
            .actions(listOf("secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue"))
            .build())

@SomayaB SomayaB added the @aws-cdk/aws-secretsmanager Related to AWS Secrets Manager label May 18, 2020
@skinny85 skinny85 added the good first issue Related to contributions. See CONTRIBUTING.md label Jun 1, 2020
@SomayaB SomayaB removed the needs-triage This issue or PR still needs to be triaged. label Jun 2, 2020
@comcalvi comcalvi mentioned this issue Jun 6, 2020
Merged
@mergify mergify bot closed this as completed in #8409 Jun 6, 2020
mergify bot pushed a commit that referenced this issue Jun 6, 2020
@comcalvi
feat(secretsmanager): Secret.grantRead() also gives DescribeSecret pe…
f44ae60 
…rmissions (#8409)

`Secret.grantRead()` now gives permission for `secretmanager:DescribeSecret` and `secretmanager:GetSecretValue`,
instead of only `secretmanager:GetSecretValue`. 

Fixes #6444 
Fixes #7953 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skinny85 skinny85

Labels
@aws-cdk/aws-secretsmanager Related to AWS Secrets Manager feature-request A feature should be added or improved. good first issue Related to contributions. See CONTRIBUTING.md
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(secretsmanager): Secret.grantRead() also gives DescribeSecret permissions comcalvi/aws-cdk
3 participants
@skinny85 @GrahamLea @SomayaB