-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
secretName from Secret.fromSecretCompleteArn not parsing correctly #28930
Comments
How do you reference them cross stacks? check out my sample below(you don't need to parse the ARN): export class SecretStack extends DemoStack {
public readonly secret: secretsmanager.ISecret;
constructor(scope: Construct, id: string, props: StackProps) {
super(scope, id, props);
const mysecret = new secretsmanager.Secret(this, 'OtherStackSecretToken', {
generateSecretString: {
secretStringTemplate: JSON.stringify({}),
generateStringKey: 'SAMPLE_TOKEN',
passwordLength: 100,
excludePunctuation: true,
},
});
this.secret = mysecret;
new CfnOutput(this, 'SecretArn', { value: mysecret.secretArn });
new CfnOutput(this, 'SecretName', { value: mysecret.secretName });
}
}
export interface SecretRefStackProps extends StackProps {
secret: secretsmanager.ISecret;
}
export class SecretRefStack extends DemoStack {
constructor(scope: Construct, id: string, props: SecretRefStackProps) {
super(scope, id, props);
new CfnOutput(this, 'SecretArn', { value: props.secret.secretArn });
new CfnOutput(this, 'SecretName', { value: props.secret.secretName });
}
} And in const secretStack = new SecretStack(app, 'secret-stack', { env });
new SecretRefStack(app, 'secret-ref-stack', {
env,
secret: secretStack.secret,
}); $ npx cdk deploy --all You should see this from the first stack
and this from second stack
Both are having correct secretName. |
And you are correct. export class SecretStack extends DemoStack {
public readonly secretArn: string;
constructor(scope: Construct, id: string, props: StackProps) {
super(scope, id, props);
const mysecret = new secretsmanager.Secret(this, 'OtherStackSecretToken', {
generateSecretString: {
secretStringTemplate: JSON.stringify({}),
generateStringKey: 'SAMPLE_TOKEN',
passwordLength: 100,
excludePunctuation: true,
},
});
this.secretArn = mysecret.secretArn;
new CfnOutput(this, 'SecretArn', { value: mysecret.secretArn });
new CfnOutput(this, 'SecretName', { value: mysecret.secretName });
}
}
export interface SecretRefStackProps extends StackProps {
secretArn: string;
}
export class SecretRefStack extends DemoStack {
constructor(scope: Construct, id: string, props: SecretRefStackProps) {
super(scope, id, props);
const secret = secretsmanager.Secret.fromSecretCompleteArn(this, 'ImportedSecret', props.secretArn)
new CfnOutput(this, 'SecretArn', { value: secret.secretArn });
new CfnOutput(this, 'SecretName', { value: secret.secretName });
}
} const secretStack = new SecretStack(app, 'secret-stack', { env });
new SecretRefStack(app, 'secret-ref-stack', {
env,
secretArn: secretStack.secretArn,
}); The 2nd stack will return |
OK I got it. This is because the token is unresolved with cross stack reference and looks like there's no workaround for that. aws-cdk/packages/aws-cdk-lib/aws-secretsmanager/lib/secret.ts Lines 972 to 975 in b32f47c
The solution is using my first provided solution above. |
Understood, thank you for the quick triage. The one reason I havent been exporting the full secret is due to circular reference issues encountered intermittently. I'll go ahead and just export the secretName separately though and that should resolve. |
@pahud does this mean that I note that fromSecretNameV2 does warn about similar potential issues. |
Yes we'd better improve the doc for that. |
Describe the bug
I have created a secret that didn't specify a secret name. When attempting to utilize that arn in another stack, the arn parse on it includes the secret version from the arn, which doesn't work as an id for a secret when attempting to retrieve from the secret sdk.
Expected Behavior
(Other stack)
const otherStackSecretToken = new Secret(this, 'OtherStackSecretToken', {
generateSecretString: {
secretStringTemplate: JSON.stringify({}),
generateStringKey: 'SAMPLE_TOKEN',
passwordLength: 100,
excludePunctuation: true,
},
encryptionKey: sampleEncryptionKey,
});
console.log(otherStackSecretToken.secretFullArn)
out: arn:aws:secretsmanager:us-east-1:<account_id>:secret:OtherStackSecretToken12345-A4ee0mHKKJlq-yR0gFR
(Current Stack)
const sampleSecret = Secret.fromSecretCompleteArn(this, 'SampleSecret', props.internalTokenArn)
console.log(sampleSecret.secretName)
out: OtherStackSecretToken12345-A4ee0mHKKJlq-yR0gFR
Current Behavior
(Other stack)
const otherStackSecretToken = new Secret(this, 'OtherStackSecretToken', {
generateSecretString: {
secretStringTemplate: JSON.stringify({}),
generateStringKey: 'SAMPLE_TOKEN',
passwordLength: 100,
excludePunctuation: true,
},
encryptionKey: sampleEncryptionKey,
});
console.log(otherStackSecretToken.secretFullArn)
out: arn:aws:secretsmanager:us-east-1:<account_id>:secret:OtherStackSecretToken12345-A4ee0mHKKJlq-yR0gFR
(Current Stack)
const sampleSecret = Secret.fromSecretCompleteArn(this, 'SampleSecret', props.internalTokenArn)
console.log(sampleSecret.secretName)
out: OtherStackSecretToken12345-A4ee0mHKKJlq-yR0gFR
Issues:
Wont work
get_secret_value_response = client.get_secret_value(
SecretId=OtherStackSecretToken12345-A4ee0mHKKJlq-yR0gFR
)
Works
get_secret_value_response = client.get_secret_value(
SecretId=OtherStackSecretToken12345-A4ee0mHKKJlq
)
Reproduction Steps
(Other stack)
const otherStackSecretToken = new Secret(this, 'OtherStackSecretToken', {
generateSecretString: {
secretStringTemplate: JSON.stringify({}),
generateStringKey: 'SAMPLE_TOKEN',
passwordLength: 100,
excludePunctuation: true,
},
encryptionKey: sampleEncryptionKey,
});
console.log(otherStackSecretToken.secretFullArn)
out: arn:aws:secretsmanager:us-east-1:<account_id>:secret:OtherStackSecretToken12345-A4ee0mHKKJlq-yR0gFR
(Current Stack)
const sampleSecret = Secret.fromSecretCompleteArn(this, 'SampleSecret', props.internalTokenArn)
console.log(sampleSecret.secretName)
out: OtherStackSecretToken12345-A4ee0mHKKJlq-yR0gFR
Possible Solution
If multiple "-" exist in the resource name, parse the last one off as this is a version.
Additional Information/Context
No response
CDK CLI Version
^2.14.0
Framework Version
No response
Node.js Version
latest
OS
linux
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: