Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-secretsmanager):Partial arn generated in policy when addRotationSchedule used on imported Secret #18424

Closed
RaphaelManke opened this issue Jan 14, 2022 · 1 comment · Fixed by #18567
Closed

(aws-secretsmanager):Partial arn generated in policy when addRotationSchedule used on imported Secret #18424

RaphaelManke opened this issue Jan 14, 2022 · 1 comment · Fixed by #18567
Labels
@aws-cdk/aws-secretsmanager Related to AWS Secrets Manager bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p1

Comments

@RaphaelManke
Copy link
Contributor

RaphaelManke commented Jan 14, 2022
edited
Loading

What is the problem?

Given a secret a is imported by Secret.fromSecretNamev2 and a rotation lambda is added by Secret.addRotationSchedule() the policy that is added to the lambda which grants the required permissions for updating the secret during rotation, is invalid because the ressource arn generated for the policy does not include the suffix -??????.
This results that the rotation lambda can not read or write the secret within the rotation process.

If the rotation lambda is added to a secret that is created by new Secret() the policy works as expected.

Reproduction Steps

const rotationLambda = new NodejsFunction(this, "RotationLambda")

const mysecret = Secret.fromSecretNameV2(this, 'Secret', 'mySecretName')

mysecret.addRotationSchedule('RotationSchedule', {
    rotationLambda: rotationLambda,
})

What did you expect to happen?

{
    "Action": [
      "secretsmanager:DescribeSecret",
      "secretsmanager:GetSecretValue",
      "secretsmanager:PutSecretValue",
      "secretsmanager:UpdateSecretVersionStage"
    ],
    "Resource": "arn:aws:secretsmanager:{Region}:{AccountId}:secret:mySecretName-??????",
    "Effect": "Allow"
  }

What actually happened?

{
    "Action": [
      "secretsmanager:DescribeSecret",
      "secretsmanager:GetSecretValue",
      "secretsmanager:PutSecretValue",
      "secretsmanager:UpdateSecretVersionStage"
    ],
    "Resource": "arn:aws:secretsmanager:<Region>:<AccountId>:secret:mySecretName",
    "Effect": "Allow"
  }

CDK CLI Version

2.3.0 (build beaa5b2)

Framework Version

No response

Node.js Version

v14.17.1

OS

macOS

Language

Typescript

Language Version

TypeSript (4.5.4)

Other information

I looked into the code and noticed that the RotationSchedule construct generates the policy and uses props.secret.secretArn

aws-cdk/packages/@aws-cdk/aws-secretsmanager/lib/rotation-schedule.ts

Line 95 in c7c51de

resources: [props.secret.secretArn],
which generates a partial arn without the required suffix in case of a secret that is imported by name.
In the case that a new secret is created this works because the attribute holds a Token that points to the full arn.

One possible fix could be to use the

aws-cdk/packages/@aws-cdk/aws-secretsmanager/lib/secret.ts

Line 389 in c7c51de

protected get arnForPolicies() {

function instead of the secretArn attribute which hopefully will return the correct arn. But this function is protected and therefore not useable.

I fixed it by adding an additional policy to the lambda with the same logic like the one from the protected function.

rotationLambda.addToRolePolicy(
    new PolicyStatement({
        actions: [
            'secretsmanager:DescribeSecret',
            'secretsmanager:GetSecretValue',
            'secretsmanager:PutSecretValue',
            'secretsmanager:UpdateSecretVersionStage',
        ],
        resources: [secret.secretFullArn ? secret.secretFullArn : `${secret.secretArn}-??????`],
    })
)
@RaphaelManke RaphaelManke added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 14, 2022
@github-actions github-actions bot added the @aws-cdk/aws-secretsmanager Related to AWS Secrets Manager label Jan 14, 2022
@ryparker ryparker added p2 and removed needs-triage This issue or PR still needs to be triaged. labels Jan 14, 2022
@njlynch njlynch added effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p1 and removed p2 labels Jan 20, 2022
njlynch added a commit that referenced this issue Jan 20, 2022
@njlynch
fix(secretsmanager): SecretRotation for secret imported by name has i…
dea14ca 
…ncorrect permissions

The SecretRotation class currently always grants permissions to
`secret.secretArn`; the correct value actually should either by the
`secretFullArn` or `secretPartialArn` plus a suffix. This logic is currently
covered by `SecretBase.arnForPolicies`. I opted to copy the logic rather than
expose the member on both `SecretBase` and `ISecret`, but if more of these cases
rise up, that may be the right solution.

fixes #18424
@njlynch njlynch mentioned this issue Jan 20, 2022
Merged
@njlynch njlynch removed their assignment Jan 20, 2022
@mergify mergify bot closed this as completed in #18567 Jan 25, 2022
mergify bot pushed a commit that referenced this issue Jan 25, 2022
@njlynch
fix(secretsmanager): SecretRotation for secret imported by name has i…
9ed263c 
…ncorrect permissions (#18567)

The SecretRotation class currently always grants permissions to
`secret.secretArn`; the correct value actually should either by the
`secretFullArn` or `secretPartialArn` plus a suffix. This logic is currently
covered by `SecretBase.arnForPolicies`. I opted to copy the logic rather than
expose the member on both `SecretBase` and `ISecret`, but if more of these cases
rise up, that may be the right solution.

fixes #18424

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

LukvonStrom pushed a commit to LukvonStrom/aws-cdk that referenced this issue Jan 26, 2022
@njlynch @LukvonStrom
fix(secretsmanager): SecretRotation for secret imported by name has i…
29faa56 
…ncorrect permissions (aws#18567)

The SecretRotation class currently always grants permissions to
`secret.secretArn`; the correct value actually should either by the
`secretFullArn` or `secretPartialArn` plus a suffix. This logic is currently
covered by `SecretBase.arnForPolicies`. I opted to copy the logic rather than
expose the member on both `SecretBase` and `ISecret`, but if more of these cases
rise up, that may be the right solution.

fixes aws#18424

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this issue Feb 21, 2022
@njlynch @TikiTDO
fix(secretsmanager): SecretRotation for secret imported by name has i…
f8fd7de 
…ncorrect permissions (aws#18567)

The SecretRotation class currently always grants permissions to
`secret.secretArn`; the correct value actually should either by the
`secretFullArn` or `secretPartialArn` plus a suffix. This logic is currently
covered by `SecretBase.arnForPolicies`. I opted to copy the logic rather than
expose the member on both `SecretBase` and `ISecret`, but if more of these cases
rise up, that may be the right solution.

fixes aws#18424

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-secretsmanager Related to AWS Secrets Manager bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p1
Projects
None yet
Milestone
No milestone
3 participants
@njlynch @RaphaelManke @ryparker