fix(secretsmanager): fix cross-region policy arn for imported secrets #26813
Conversation
github-actions
bot
added
the
beginning-contributor
github-actions
bot
added
bug
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
rv2673
force-pushed
the
fix/#26811-fix-cross-region-import-secret-policy-arn
branch
from
f5db3de
to
5aef3cc
Compare
mrgrain
added
the
pr-linter/exempt-integ-test
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
aws-cdk-automation
added
the
pr/needs-community-review
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
aws-cdk-automation
removed
the
pr/needs-community-review
Pre 2.89.0 we could import a secret from a complete secret arn in one stack and reference this secret from another stack in a different region to include it in a policy/role through grantRead on the secret construct.
Since 2.89.0 the arn in the policy it treats the compledSecretArn as a partial arn adding -?????? which makes the policy invalid and not allowing access to the secret as intended.
This PR fixes that by overriding arnForPolicies for imported secrets to either return provided complete arn or partial arn with suffix.
Fixes #26811.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license