Skip to content

fix(secretsmanager): hosted rotation with fromSecretNameV2() does not create correct iam policy#28379

Merged
mergify[bot] merged 9 commits intoaws:mainfrom
go-to-k:fix/secret-hosted-schedule-from-method
Dec 20, 2023
Merged

fix(secretsmanager): hosted rotation with fromSecretNameV2() does not create correct iam policy#28379
mergify[bot] merged 9 commits intoaws:mainfrom
go-to-k:fix/secret-hosted-schedule-from-method

Conversation

@go-to-k
Copy link
Copy Markdown
Contributor

@go-to-k go-to-k commented Dec 15, 2023
edited
Loading

In the case for a hosted rotation with a master secret by fromSecretNameV2(), IAM policy for lambda is not correct.

The secret by the method has a partial ARN, so a generated IAM policy should use an ARN with '-??????', but it will not use the ARN.

Closes #28308.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added bug This issue is a bug. effort/medium Medium work item – several days of effort p2 distinguished-contributor [Pilot] contributed 50+ PRs to the CDK labels Dec 15, 2023
@aws-cdk-automation aws-cdk-automation requested a review from a team December 15, 2023 10:30
aws-cdk-automation
aws-cdk-automation previously requested changes Dec 15, 2023
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@go-to-k go-to-k changed the title fix(secretsmanager): hosted rotation does not generate correct policy with imported secret as master secret fix(secretsmanager): hosted rotation with fromSecretNameV2() does not create correct iam policy Dec 15, 2023
@aws-cdk-automation aws-cdk-automation dismissed their stale review December 15, 2023 16:43

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@go-to-k go-to-k marked this pull request as ready for review December 15, 2023 16:52
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Dec 15, 2023
@go-to-k go-to-k marked this pull request as draft December 15, 2023 17:29
@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Dec 16, 2023
@go-to-k go-to-k marked this pull request as ready for review December 16, 2023 17:23
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Dec 16, 2023
go-to-k
go-to-k commented Dec 16, 2023
View reviewed changes
Comment thread packages/aws-cdk-lib/aws-secretsmanager/lib/rotation-schedule.ts
Comment on lines +329 to +333
if (this.masterSecret?.secretFullArn) {
masterSecretArn = this.masterSecret.secretArn;
} else if (this.masterSecret) { // ISecret as an imported secret with partial ARN
masterSecretArn = this.masterSecret.secretArn + '-??????';
}
Copy link
Copy Markdown
Contributor Author

@go-to-k go-to-k Dec 16, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • if (this.masterSecret?.secretFullArn)
    • If we call a secret construct for this.masterSecret in the stack, here is true.
    • Otherwise this.masterSecret is generated from fromSecretArn(), fromSecretCompleteArn() methods, etc. They also have a full ARN, so here is also true.
      • This if statement will be true even if the arg (so it is the arn) for the methods is a token or not.
  • else if (this.masterSecret)
    • The secret is ISecret as an imported secret with partial ARN. It is generated from fromSecretNameV2().
    • The secretArn in this block will be a token. But processing this string is not a problem because the CloudFormation template can use Fn::Join to combine them properly. (see the unit tests.)

paulhcsun
paulhcsun approved these changes Dec 20, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@paulhcsun paulhcsun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this fix @go-to-k!

@aws-cdk-automation
Copy link
Copy Markdown
Collaborator

aws-cdk-automation commented Dec 20, 2023

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: f359c12
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Dec 20, 2023

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 4ab5bb2 into aws:main Dec 20, 2023
@github-actions github-actions bot mentioned this pull request Jan 1, 2024
Closed
paulhcsun pushed a commit to paulhcsun/aws-cdk that referenced this pull request Jan 5, 2024
@go-to-k @paulhcsun
fix(secretsmanager): hosted rotation with fromSecretNameV2() does not…
1bf5fb1 
… create correct iam policy (aws#28379)

In the case for a hosted rotation with a master secret by `fromSecretNameV2()`, IAM policy for lambda is not correct.

The secret by the method has a partial ARN, so a generated IAM policy should use an ARN with `'-??????'`, but it will not use the ARN.

Closes aws#28308.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@anentropic anentropic mentioned this pull request Jan 12, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

+1 more reviewer

@paulhcsun paulhcsun paulhcsun approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug This issue is a bug. distinguished-contributor [Pilot] contributed 50+ PRs to the CDK effort/medium Medium work item – several days of effort p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

secrets: addRotationSchedule() with fromSecretNameV2() does not create correct iam policy for lambda

3 participants

@go-to-k @aws-cdk-automation @paulhcsun