Skip to content

(aws-rds): grantConnect generates incorrect policy for DatabaseInstanceReadReplica #31061

Closed
Closed
(aws-rds): grantConnect generates incorrect policy for DatabaseInstanceReadReplica#31061
#31579 (+3)
Assignees
ashishdhingra
Labels
@aws-cdk/aws-rdsRelated to Amazon Relational DatabasebugThis issue is a bug.effort/smallSmall work item – less than a day of effortp2
@moltar

Description

@moltar
moltar
opened on Aug 8, 2024

Describe the bug

Calling grantConnect on an instance of DatabaseInstanceReadReplica generates an incorrect policy that uses the full ARN of the instance instead of the instanceResourceId value.

Expected Behavior

{
    "Action": "rds-db:connect",
    "Resource": "arn:aws:rds-db:us-east-1:1234567890:dbuser:db-INSTANCE_RESOURCE_ID/user",
    "Effect": "Allow"
}

Current Behavior

{
    "Action": "rds-db:connect",
    "Resource": "arn:aws:rds-db:us-east-1:1234567890:dbuser:arn:aws:rds:us-east-1:1234567890:db:instance-name-wq2y5qzlfdy6/user",
    "Effect": "Allow"
}

Reproduction Steps

  1. Create a read replica
  2. Call grantConnect on it

Possible Solution

No response

Additional Information/Context

aws-cdk/packages/aws-cdk-lib/aws-rds/lib/instance.ts

Lines 201 to 206 in abc78bf

Stack.of(this).formatArn({
arnFormat: ArnFormat.COLON_RESOURCE_NAME,
service: 'rds-db',
resource: 'dbuser',
resourceName: [this.instanceResourceId, dbUser].join('/'),
}),

CDK CLI Version

2.150.0

Framework Version

2.150.0

Node.js Version

v20.14.0

OS

macOS

Language

TypeScript

Language Version

No response

Other information

No response

Metadata

Metadata

Assignees

Labels

@aws-cdk/aws-rdsRelated to Amazon Relational DatabasebugThis issue is a bug.effort/smallSmall work item – less than a day of effortp2

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions