(codebuild): Secret manager env vars get the wrong arn on grant #12703

JFox · 2021-01-26T10:11:25Z

When adding environment variables to codebuild Projects, cdk adds the grant read for the secret. However, when adding a secret using the <secretName>:<secretKey> format, the generated arn includes the secretKey causing the arn to be wrong (aws::secretsmanager:eu-central-1:00000000000:secret:secretName:secretKey-??????)

Reproduction Steps

Create a codebuild Project using a secret env var with the <secretName>:<secretKey> format

What did you expect to happen?

the arn on the policy not to include the secretKey

What actually happened?

the arn on the policy included the secretKey

Environment

CDK CLI Version : 1.86.0
Framework Version: 1.86.0
Node.js Version: 13.8.0
OS : MacOS
Language (Version):TypeScript (3.9.7)

Other

This is 🐛 Bug Report

The text was updated successfully, but these errors were encountered:

…riables In the SecretsManager-typed environment variables in CodeBuild, the code in the Project class assumed those would be passed as names. As it turns out, CodeBuild also allows passing there entire ARNs of secrets (both partial, and full), and also optional qualifiers, separated by colons, that specify SecretsManager attributes like the JSON key, or the secret version. Add handling of all of these cases. Fixes aws#12703

…riables (#13706) In the SecretsManager-typed environment variables in CodeBuild, the code in the Project class assumed those would be passed as names. As it turns out, CodeBuild also allows passing there entire ARNs of secrets (both partial, and full), and also optional qualifiers, separated by colons, that specify SecretsManager attributes like the JSON key, or the secret version. Add handling of all of these cases. Fixes #12703 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

github-actions · 2021-03-26T18:26:37Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

…riables (aws#13706) In the SecretsManager-typed environment variables in CodeBuild, the code in the Project class assumed those would be passed as names. As it turns out, CodeBuild also allows passing there entire ARNs of secrets (both partial, and full), and also optional qualifiers, separated by colons, that specify SecretsManager attributes like the JSON key, or the secret version. Add handling of all of these cases. Fixes aws#12703 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

JFox added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 26, 2021

github-actions bot added the @aws-cdk/aws-codebuild Related to AWS CodeBuild label Jan 26, 2021

github-actions bot assigned skinny85 Jan 26, 2021

skinny85 added effort/medium Medium work item – several days of effort p1 and removed needs-triage This issue or PR still needs to be triaged. labels Jan 26, 2021

skinny85 mentioned this issue Mar 12, 2021

(CodeBuild): Environment Variables from cross account SecretsManager #13567

Closed

2 tasks

skinny85 mentioned this issue Mar 19, 2021

fix(codebuild): allow passing the ARN of the Secret in environment variables #13706

Merged

mergify bot closed this as completed in #13706 Mar 26, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(codebuild): Secret manager env vars get the wrong arn on grant #12703

(codebuild): Secret manager env vars get the wrong arn on grant #12703

JFox commented Jan 26, 2021

github-actions bot commented Mar 26, 2021