From 9ed263cde0b41959ff267720c0978bfe7449337a Mon Sep 17 00:00:00 2001 From: Nick Lynch <1376292+njlynch@users.noreply.github.com> Date: Tue, 25 Jan 2022 11:16:26 +0000 Subject: [PATCH] fix(secretsmanager): SecretRotation for secret imported by name has incorrect permissions (#18567) The SecretRotation class currently always grants permissions to `secret.secretArn`; the correct value actually should either by the `secretFullArn` or `secretPartialArn` plus a suffix. This logic is currently covered by `SecretBase.arnForPolicies`. I opted to copy the logic rather than expose the member on both `SecretBase` and `ISecret`, but if more of these cases rise up, that may be the right solution. fixes #18424 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../lib/rotation-schedule.ts | 2 +- .../test/rotation-schedule.test.ts | 51 +++++++++++++++++++ 2 files changed, 52 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-secretsmanager/lib/rotation-schedule.ts b/packages/@aws-cdk/aws-secretsmanager/lib/rotation-schedule.ts index 3656f0d55ba57..7322148e2a245 100644 --- a/packages/@aws-cdk/aws-secretsmanager/lib/rotation-schedule.ts +++ b/packages/@aws-cdk/aws-secretsmanager/lib/rotation-schedule.ts @@ -92,7 +92,7 @@ export class RotationSchedule extends Resource { 'secretsmanager:PutSecretValue', 'secretsmanager:UpdateSecretVersionStage', ], - resources: [props.secret.secretArn], + resources: [props.secret.secretFullArn ? props.secret.secretFullArn : `${props.secret.secretArn}-??????`], }), ); props.rotationLambda.addToRolePolicy( diff --git a/packages/@aws-cdk/aws-secretsmanager/test/rotation-schedule.test.ts b/packages/@aws-cdk/aws-secretsmanager/test/rotation-schedule.test.ts index fab58e80e82d2..caa6543ec42f1 100644 --- a/packages/@aws-cdk/aws-secretsmanager/test/rotation-schedule.test.ts +++ b/packages/@aws-cdk/aws-secretsmanager/test/rotation-schedule.test.ts @@ -101,6 +101,57 @@ test('assign permissions for rotation schedule with a rotation Lambda', () => { }); }); +test('grants correct permissions for secret imported by name', () => { + // GIVEN + const secret = secretsmanager.Secret.fromSecretNameV2(stack, 'Secret', 'mySecretName'); + const rotationLambda = new lambda.Function(stack, 'Lambda', { + runtime: lambda.Runtime.NODEJS_10_X, + code: lambda.Code.fromInline('export.handler = event => event;'), + handler: 'index.handler', + }); + + // WHEN + new secretsmanager.RotationSchedule(stack, 'RotationSchedule', { + secret, + rotationLambda, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', { + PolicyDocument: { + Statement: Match.arrayWith([ + { + Action: [ + 'secretsmanager:DescribeSecret', + 'secretsmanager:GetSecretValue', + 'secretsmanager:PutSecretValue', + 'secretsmanager:UpdateSecretVersionStage', + ], + Effect: 'Allow', + Resource: { + 'Fn::Join': ['', [ + 'arn:', + { Ref: 'AWS::Partition' }, + ':secretsmanager:', + { Ref: 'AWS::Region' }, + ':', + { Ref: 'AWS::AccountId' }, + ':secret:mySecretName-??????', + ]], + }, + }, + ]), + Version: '2012-10-17', + }, + PolicyName: 'LambdaServiceRoleDefaultPolicyDAE46E21', + Roles: [ + { + Ref: 'LambdaServiceRoleA8ED4D3B', + }, + ], + }); +}); + test('assign kms permissions for rotation schedule with a rotation Lambda', () => { // GIVEN const encryptionKey = new kms.Key(stack, 'Key');