(secretsmanager): Partial ARN used in policies and `secretFullArn` evaluates to the partial ARN when Secret used across environments

[gshpychka]

Describe the bug

When a Secret is created and then passed to a cross-env stack (provided the secret has a specified physical name), its internal arnForPolicies is its partial ARN without the 6-character suffix. This is wrong, as the generated policies from e.g. grantRead cannot use the partial ARN as is - they have to append -?????? to it.

Expected Behavior

When doing Secret.grantRead in a cross-environment stack, the resulting CF template contains the partial ARN of the secret followed by -??????.

Current Behavior

The partial ARN is used as is.

Reproduction Steps

Here's a simple Python app:

import os
import aws_cdk as cdk
from aws_cdk import aws_iam as iam, aws_secretsmanager as sm, aws_ssm as ssm
​
app = cdk.App()
​
root_env = cdk.Environment(
    account=os.environ["CDK_DEFAULT_ACCOUNT"], region="us-east-1"
)
cross_region_env = cdk.Environment(
    account=os.environ["CDK_DEFAULT_ACCOUNT"], region="us-west-2"
)
​
producer_stack = cdk.Stack(app, "producer", env=root_env)
consumer_stack = cdk.Stack(app, "consumer", env=cross_region_env)
​
secret = sm.Secret(producer_stack, "secret", secret_name="MySecret")
role = iam.Role(consumer_stack, "role", assumed_by=iam.ServicePrincipal("foo"))
​
secret.grant_read(role)

ssm.StringParameter(consumer_stack, "parameter", string_value=secret.secret_full_arn)
​
app.synth()

Relevant excerpts of the synthed template of the consumer:

  "roleDefaultPolicy7C980EBA": {
   "Type": "AWS::IAM::Policy",
   "Properties": {
    "PolicyDocument": {
     "Statement": [
      {
       "Action": [
        "secretsmanager:DescribeSecret",
        "secretsmanager:GetSecretValue"
       ],
       "Effect": "Allow",
       "Resource": {
        "Fn::Join": [
         "",
         [
          "arn:",
          {
           "Ref": "AWS::Partition"
          },
          ":secretsmanager:us-east-1:574067550520:secret:MySecret"
         ]
        ]
       }
      }
     ],
     "Version": "2012-10-17"
    },
    "PolicyName": "roleDefaultPolicy7C980EBA",

The value of secretFullArn evaluates to the partial ARN, which is probably related.

  "parameter76C24FC7": {
   "Type": "AWS::SSM::Parameter",
   "Properties": {
    "Type": "String",
    "Value": {
     "Fn::Join": [
      "",
      [
       "arn:",
       {
        "Ref": "AWS::Partition"
       },
       ":secretsmanager:us-east-1:574067550520:secret:MySecret"
      ]
     ]
    }
   },
   "Metadata": {
    "aws:cdk:path": "consumer/parameter/Resource"
   }
  }
 },

Possible Solution

No response

Additional Information/Context

In addition, the secret's secretFullArn prop evaluates to the partial ARN at synth time (in the consumer stack, that is).

CDK CLI Version

2.45.0

Framework Version

No response

Node.js Version

18.9.0

OS

Linux

Language

Python

Language Version

No response

Other information

No response

[aiden-sobey]

We also lost time to this bug, would love to see a fix by AWS.

[gshpychka]

@madeline-k can you please take a look?

[peterwoodworth]

I'm not sure where exactly we handle cross-env references, so I'm not too sure where to look for this. However, can you work around this by either passing in the CfnSecret.ref value, or by importing the secret in the second stack instead of directly referencing it?

[Malanius]

Doesn't seem that it has to be cross-environment. Happened to me in cross-stack references in the same environment.
Edit: it is cross-environment only, missed that the secrets stack didn't have the environment assigned. Switching stack from having an environment or not is enough to reproduce this issue.

One stack has only secrets that are later used in other stacks with ECS services. Originally the reference was handed down as CFN export/import and included the -????? suffix for secrets ARN, but now it is missing and ECS deployment fails as it claims it doesn't have access to truncated secret ARN.