Describe the bug
Pre 2.89.0 we could import a secret from a complete secret arn in one stack and reference this secret from another stack in a different region to include it in a policy/role through grantRead on the secret construct.
Since 2.89.0 the arn in the policy it treats the compleSecretArn as a partial arn adding -?????? which makes the policy invalid and not allowing access to the secret as intended.
Expected Behavior
If importing secret from a complete arn the arn used in policies should be complete arn and not include wildcard for matching a suffix. Which allows intended action by the policy.
Current Behavior
When referencing import secret construct from a cross-region stack the arn used in policies has wildcard suffix matcher appended which makes the referenced policy invalid for allowing intended action.
Reproduction Steps
- Create cdk app with following stack
- Create stack in one region which includes a Secret construct imported from a complete secret arn
- Create stack in other region which includes Role which is granted access to the secret with grantRead on the secret construct
- synthesis stack, and see additional role suffix.
Reproduction repository:
https://github.com/rv2673/aws-cdk-cross-region-secret-import-reproduction
Possible Solution
- Override
arnForPolicies in the class returned from fromSecretAttributes method on Secret construct.
- Fix conditions in the _arnForPolicies Lazy.string implementation function
Additional Information/Context
No response
CDK CLI Version
2.92.0
Framework Version
No response
Node.js Version
18
OS
ubuntu
Language
Typescript
Language Version
No response
Other information
No response
Describe the bug
Pre 2.89.0 we could import a secret from a complete secret arn in one stack and reference this secret from another stack in a different region to include it in a policy/role through grantRead on the secret construct.
Since 2.89.0 the arn in the policy it treats the compleSecretArn as a partial arn adding -?????? which makes the policy invalid and not allowing access to the secret as intended.
Expected Behavior
If importing secret from a complete arn the arn used in policies should be complete arn and not include wildcard for matching a suffix. Which allows intended action by the policy.
Current Behavior
When referencing import secret construct from a cross-region stack the arn used in policies has wildcard suffix matcher appended which makes the referenced policy invalid for allowing intended action.
Reproduction Steps
Reproduction repository:
https://github.com/rv2673/aws-cdk-cross-region-secret-import-reproduction
Possible Solution
arnForPoliciesin the class returned from fromSecretAttributes method on Secret construct.Additional Information/Context
No response
CDK CLI Version
2.92.0
Framework Version
No response
Node.js Version
18
OS
ubuntu
Language
Typescript
Language Version
No response
Other information
No response