Skip to content

aws-redshift-alpha: User DatabaseSecret created without masterarn in Secret Text causing multi-user secret rotation to fail #28852

Open
Open
aws-redshift-alpha: User DatabaseSecret created without masterarn in Secret Text causing multi-user secret rotation to fail#28852
Labels
@aws-cdk/aws-redshiftRelated to Amazon RedshiftbugThis issue is a bug.effort/mediumMedium work item – several days of effortp3
@penniman26

Description

@penniman26
penniman26
opened on Jan 24, 2024

Describe the bug

Multi-User Secret Rotation on Redshift User Secret does not work without a masterarn field present in Redshift User Secret serialized JSON text.

The User Construct does not plumb in the Cluster's secret (i.e. the master secret) to the DatabaseSecret in the User constructor.

A similar change was applied to RDS's DatabaseSecret and Cluster to enable Multi-User Secret Rotation

Expected Behavior

After enabling Multi-User Secret Rotation:

        cluster.addRotationMultiUser(`${id}CredentialsRotation`, {
            secret: redshiftUser.secret,
            automaticallyAfter: secureProps.rotationPeriod,
        });

The Redshift User Secret has a masterarn so that Multi-User Secret Rotation works

Current Behavior

The Secret Rotation Lambda fails with

2024-01-10T00:23:45.982-08:00
[ERROR] KeyError: 'masterarn'
Traceback (most recent call last):
  File "/var/task/lambda_function.py", line 81, in lambda_handler
    set_secret(service_client, arn, token)
  File "/var/task/lambda_function.py", line 188, in set_secret
    admin_arn = current_dict['masterarn']

Reproduction Steps

      const cluster = // cluster props

       const user = return new User(this, 'User', {
            cluster: cluster,
            databaseName: databaseName,
            username: username,
            adminUser: cluster.secret,
        });

        cluster.addRotationMultiUser(`CredentialsRotation`, {
            secret: user.secret
        });

Possible Solution

Additional Information/Context

No response

CDK CLI Version

2.70.0

Framework Version

No response

Node.js Version

18

OS

AL2

Language

TypeScript

Language Version

No response

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-redshiftRelated to Amazon RedshiftbugThis issue is a bug.effort/mediumMedium work item – several days of effortp3

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions