(pipelines): missing SecretsManager permissions for asset action role

[hoegertn]

If you specify environment variables of the SecretsManager for the CodeBuild projects, only the synth and the self-mutate action have the appropriate IAM permissions but all actions get the environment config.

Reproduction Steps

    const pipeline = new pipelines.CodePipeline(this, 'pipeline', {
      synth: new pipelines.ShellStep('Synth', {
        input: pipelines.CodePipelineSource.connection('test/test', 'main', { connectionArn: 'arn' }),
        commands: ['npm ci', 'npx cdk synth'],
      }),
      codeBuildDefaults: {
        buildEnvironment: {
          environmentVariables: {
            FOOBAR: {
              value: 'FoobarSecret',
              type: cb.BuildEnvironmentVariableType.SECRETS_MANAGER,
            },
          },
        },
      },
    });

If the stack/stage contains assets the asset upload project has the environment config

"EnvironmentVariables": [
  {
    "Name": "FOOBAR",
    "Type": "SECRETS_MANAGER",
    "Value": "FoobarSecret"
  }
],

but the role does not have the needed secretsmanager:GetSecretValue permissions. The roles for synth and self-mutate do get the permissions.

What did you expect to happen?

The asset upload role has the needed permissions

What actually happened?

No permissions are granted

Environment

• CDK CLI Version : 1.114.0
• Framework Version: 1.114.0
• Node.js Version: v16.4.2
• OS : macOS
• Language (Version): latest TS

Other

---

This is 🐛 Bug Report

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.