(rds): DatabaseProxy does not support Secrets Manager Secrets that have been encrypted with a KMS key

[scub]

Describe the bug

When creating a DatabaseProxy if the Secrets Manager Secret that holds the Credentials is encrypted with a KMS key any registered ProxyTarget(s) will fail to connect as they lack access to kms:Decrypt the secret using the encrypted key.

When this occurs the following can be observed in the DatabaseProxy logs but only when debugLogging is set true.

Credentials couldn't be retrieved. The IAM role "arn:aws:iam:::role/ProxyIAMRole2FE8AB0F" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:aws:secretsmanager:::secret:SecretA720EF05"

Expected Behavior

DatabaseProxy is able to use Secrets when they are encrypted with a KMS key.

Current Behavior

DatabaseProxy fails to successfully create

Reproduction Steps

    const kmsKey = new Key(stack, 'Key');
    const kmsEncryptedSecret = new secretsmanager.Secret(stack, 'Secret', {encryptionKey: kmsKey});

    const cluster = new rds.DatabaseCluster(stack, 'Database', {
      engine: rds.DatabaseClusterEngine.AURORA,
      instanceProps: { vpc },
    });

    new rds.DatabaseProxy(stack, 'Proxy', {
      proxyTarget: rds.ProxyTarget.fromCluster(cluster),
      vpc,
      secrets: [kmsEncryptedSecret],
    });

Possible Solution

Submitted for the approval of the midnight society: The tale of #28858

Additional Information/Context

No response

CDK CLI Version

2.122.0

Framework Version

No response

Node.js Version

20

OS

Mac

Language

TypeScript

Language Version

No response

Other information

No response

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.