Skip to content

fix(rds): addProxy can use kms encrypted secrets#28849

Closed
scub wants to merge 2 commits intoaws:mainfrom
scub:aws-rds/kms-proxy-secrets
Closed

fix(rds): addProxy can use kms encrypted secrets#28849
scub wants to merge 2 commits intoaws:mainfrom
scub:aws-rds/kms-proxy-secrets

Conversation

@scub
Copy link
Copy Markdown
Contributor

@scub scub commented Jan 24, 2024
edited
Loading

When creating an RDS proxy if the Secrets Manager secret that holds the Credentials is encrypted with a KMS key and registered ProxyTarget(s) will fail to connect as they lack access to kms:Decrypt using the encrypted key.

When this occurs the following can be observed in the DatabaseProxy logs but only when debugLogging is set true.

Credentials couldn't be retrieved. The IAM role "arn:aws:iam:::role/ProxyIAMRole2FE8AB0F" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:aws:secretsmanager:::secret:SecretA720EF05"

This is my first CDK PR, i've run the following:

yarn install
npx lerna run build --scope=aws-cdk-lib
cd packages/aws-cdk-lib
npx yarn test aws-rds
npx yarn lint aws-rds
npx yarn eslint --fix aws-rds/lib/proxy.ts aws-rds/test/proxy.test.ts

# Running integration tests
cd ../../
npx lerna run build --scope=@aws-cdk-testing/framework-integ
cd packages/@aws-cdk-testing/framework-integ
npx yarn integ test/aws-rds/test/*.js --update-on-failed

Closes #28850

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team January 24, 2024 22:44
@github-actions github-actions bot added bug This issue is a bug. p2 beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK labels Jan 24, 2024
aws-cdk-automation
aws-cdk-automation previously requested changes Jan 24, 2024
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@scub scub mentioned this pull request Jan 24, 2024
Closed
@scub
Copy link
Copy Markdown
Contributor Author

scub commented Jan 24, 2024

Exemption Request for changes to integration tests as tests have been provided in packages/aws-cdk-lib/aws-rds/test/proxy.test.ts

@aws-cdk-automation aws-cdk-automation added the pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. label Jan 24, 2024
@scub scub force-pushed the aws-rds/kms-proxy-secrets branch from a94387d to 1574aca Compare January 24, 2024 23:24
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jan 24, 2024
@aws-cdk-automation aws-cdk-automation dismissed their stale review January 25, 2024 04:04

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@scub scub closed this Jan 25, 2024
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Jan 25, 2024

⚠️ The sha of the head commit of this PR conflicts with #28858. Mergify cannot evaluate rules on this PR. ⚠️

@aws-cdk-automation
Copy link
Copy Markdown
Collaborator

aws-cdk-automation commented Jan 25, 2024

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: f07eb3f
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@github-actions github-actions bot mentioned this pull request Feb 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

Assignees

No one assigned

Labels

beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK bug This issue is a bug. p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

(rds): DatabaseProxy does not support Secrets Manager Secrets that have been encrypted with a KMS key

2 participants

@scub @aws-cdk-automation