Provide the ability to add an existing Secret to the Construct #639
Comments
|
I've stumbled accross this issue too and turns out, CDK can actually create Secret Resource policy on existing secret with secretsmanager.ResourcePolicy construct: import * as iam from "aws-cdk-lib/aws-iam";
import * as secretsmanager from "aws-cdk-lib/aws-secretsmanager";
import { KeyPair } from "cdk-ec2-key-pair";
const bastionKey = new KeyPair(this, "BastionKeyPair", {
keyPairName: "bastion/db",
description: "Key pair for RDS Bastion",
});
const bastionPK = secretsmanager.Secret.fromSecretCompleteArn(this, "BastionPK", bastionKey.privateKeyArn);
bastionKey.grantReadOnPrivateKey(externalAmazonSharingRole);
const bastionPKPolicy = new secretsmanager.ResourcePolicy(this, "BastionPKPolicy", {
secret: bastionPK
});
bastionPKPolicy.document.addStatements(new iam.PolicyStatement({
actions: [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
],
principals: [new iam.ArnPrincipal(principalArn)],
resources: [bastionPK.secretArn],
}));This is, however, a workaround and it would be much better if this construct was able to manage secret resource policy (ideally public and private keys KMS as well), as current behaviour of |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The current implementation doesn't allow access to the secretsmanager Secret at all. AFAIK there's no way to add a resource policy to the Secret via this implementation.
Would it be possible to create a variation of this Construct that takes an existing Secret as a prop? That way engineers can configure the Secret in the way that they need, while still using the key generation capabilities of the Custom Resource.
The text was updated successfully, but these errors were encountered: