Skip to content

fix(rds): proxy target is missing KMS permissions#28858

Merged
mergify[bot] merged 3 commits intoaws:mainfrom
scub:aws-rds/kms-proxy-secrets
Jan 25, 2024
Merged

fix(rds): proxy target is missing KMS permissions#28858
mergify[bot] merged 3 commits intoaws:mainfrom
scub:aws-rds/kms-proxy-secrets

Conversation

@scub
Copy link
Copy Markdown
Contributor

@scub scub commented Jan 25, 2024
edited
Loading

When creating an RDS proxy. If the Secrets Manager Secret that holds the credentials is encrypted with a KMS key, any registered ProxyTarget(s) will fail to connect as they lack access the secret as it requires the ability to kms:Decrypt using the Secret's encrypted key.

When this occurs the following can be observed in the DatabaseProxy logs but only when debugLogging is set true.

Credentials couldn't be retrieved. The IAM role "arn:aws:iam:::role/ProxyIAMRole2FE8AB0F" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:aws:secretsmanager:::secret:SecretA720EF05"

Reproduction steps

    const vpc = new Vpc(stack, 'Vpc');
    const kmsKey = new Key(stack, 'Key');
    const kmsEncryptedSecret = new secretsmanager.Secret(stack, 'Secret', {encryptionKey: kmsKey});

    const cluster = new rds.DatabaseCluster(stack, 'Database', {
      engine: rds.DatabaseClusterEngine.AURORA,
      instanceProps: { vpc },
    });

    new rds.DatabaseProxy(stack, 'Proxy', {
      proxyTarget: rds.ProxyTarget.fromCluster(cluster),
      debugLogging: true,
      vpc,
      secrets: [kmsEncryptedSecret],
    });

This is my first CDK PR, i've run the following:

yarn install
npx lerna run build --scope=aws-cdk-lib
cd packages/aws-cdk-lib
npx yarn test aws-rds
npx yarn lint aws-rds
npx yarn eslint --fix aws-rds/lib/proxy.ts aws-rds/test/proxy.test.ts

# Running integration tests
cd ../../
npx lerna run build --scope=@aws-cdk-testing/framework-integ
cd packages/@aws-cdk-testing/framework-integ
npx yarn integ test/aws-rds/test/*.js --update-on-failed

Closes #28850

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added bug This issue is a bug. p2 beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK labels Jan 25, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team January 25, 2024 04:10
@mergify mergify bot mentioned this pull request Jan 25, 2024
Closed
@scub scub mentioned this pull request Jan 25, 2024
Closed
@scub scub force-pushed the aws-rds/kms-proxy-secrets branch from 24ca4b6 to be19312 Compare January 25, 2024 04:44
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jan 25, 2024
lpizzinidev
lpizzinidev suggested changes Jan 25, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@lpizzinidev lpizzinidev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good 👍
Just a minor nit.
Also, can you please update the title of the PR to describe the bug (not the solution)?
Something like fix(rds): proxy target is missing KMS permissions should work.

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jan 25, 2024
@scub scub force-pushed the aws-rds/kms-proxy-secrets branch from be19312 to 35089dc Compare January 25, 2024 13:51
@scub scub changed the title fix(rds): addProxy can use kms encrypted secrets fix(rds): proxy target is missing KMS permissions Jan 25, 2024
xazhao
xazhao approved these changes Jan 25, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@xazhao xazhao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change is pretty straightforward and looks good to me!

@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Jan 25, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Copy Markdown
Collaborator

aws-cdk-automation commented Jan 25, 2024

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: dab8b51
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit c17dbde into aws:main Jan 25, 2024
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Jan 25, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@scub scub deleted the aws-rds/kms-proxy-secrets branch January 25, 2024 17:00
Vandita2020 pushed a commit to Vandita2020/aws-cdk that referenced this pull request Jan 30, 2024
@scub @Vandita2020
fix(rds): proxy target is missing KMS permissions (aws#28858)
823e101 
When creating an RDS proxy. If the Secrets Manager Secret that holds the credentials is encrypted with a KMS key, any registered ProxyTarget(s) will fail to connect as they lack access the secret as it requires the ability to `kms:Decrypt` using the Secret's encrypted key. 

When this occurs the following can be observed in the DatabaseProxy logs but only when `debugLogging` is set `true`.

```
Credentials couldn't be retrieved. The IAM role "arn:aws:iam:::role/ProxyIAMRole2FE8AB0F" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:aws:secretsmanager:::secret:SecretA720EF05"
```


Reproduction steps

```
    const vpc = new Vpc(stack, 'Vpc');
    const kmsKey = new Key(stack, 'Key');
    const kmsEncryptedSecret = new secretsmanager.Secret(stack, 'Secret', {encryptionKey: kmsKey});

    const cluster = new rds.DatabaseCluster(stack, 'Database', {
      engine: rds.DatabaseClusterEngine.AURORA,
      instanceProps: { vpc },
    });

    new rds.DatabaseProxy(stack, 'Proxy', {
      proxyTarget: rds.ProxyTarget.fromCluster(cluster),
      debugLogging: true,
      vpc,
      secrets: [kmsEncryptedSecret],
    });
```

This is my first CDK PR, i've run the following:

```
yarn install
npx lerna run build --scope=aws-cdk-lib
cd packages/aws-cdk-lib
npx yarn test aws-rds
npx yarn lint aws-rds
npx yarn eslint --fix aws-rds/lib/proxy.ts aws-rds/test/proxy.test.ts

# Running integration tests
cd ../../
npx lerna run build --scope=@aws-cdk-testing/framework-integ
cd packages/@aws-cdk-testing/framework-integ
npx yarn integ test/aws-rds/test/*.js --update-on-failed
```


Closes aws#28850

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions github-actions bot mentioned this pull request Feb 1, 2024
Closed
SankyRed pushed a commit that referenced this pull request Feb 8, 2024
@scub @SankyRed
fix(rds): proxy target is missing KMS permissions (#28858)
779593e 
When creating an RDS proxy. If the Secrets Manager Secret that holds the credentials is encrypted with a KMS key, any registered ProxyTarget(s) will fail to connect as they lack access the secret as it requires the ability to `kms:Decrypt` using the Secret's encrypted key. 

When this occurs the following can be observed in the DatabaseProxy logs but only when `debugLogging` is set `true`.

```
Credentials couldn't be retrieved. The IAM role "arn:aws:iam:::role/ProxyIAMRole2FE8AB0F" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:aws:secretsmanager:::secret:SecretA720EF05"
```


Reproduction steps

```
    const vpc = new Vpc(stack, 'Vpc');
    const kmsKey = new Key(stack, 'Key');
    const kmsEncryptedSecret = new secretsmanager.Secret(stack, 'Secret', {encryptionKey: kmsKey});

    const cluster = new rds.DatabaseCluster(stack, 'Database', {
      engine: rds.DatabaseClusterEngine.AURORA,
      instanceProps: { vpc },
    });

    new rds.DatabaseProxy(stack, 'Proxy', {
      proxyTarget: rds.ProxyTarget.fromCluster(cluster),
      debugLogging: true,
      vpc,
      secrets: [kmsEncryptedSecret],
    });
```

This is my first CDK PR, i've run the following:

```
yarn install
npx lerna run build --scope=aws-cdk-lib
cd packages/aws-cdk-lib
npx yarn test aws-rds
npx yarn lint aws-rds
npx yarn eslint --fix aws-rds/lib/proxy.ts aws-rds/test/proxy.test.ts

# Running integration tests
cd ../../
npx lerna run build --scope=@aws-cdk-testing/framework-integ
cd packages/@aws-cdk-testing/framework-integ
npx yarn integ test/aws-rds/test/*.js --update-on-failed
```


Closes #28850

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@lpizzinidev lpizzinidev lpizzinidev requested changes

@xazhao xazhao xazhao approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK bug This issue is a bug. p2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

(rds): DatabaseProxy does not support Secrets Manager Secrets that have been encrypted with a KMS key

4 participants

@scub @aws-cdk-automation @lpizzinidev @xazhao