aws-cdk: (aws-secretsmanager): grant read fails when secret is fetched using fromSecretNamev2
What is the problem?
I have manually created a secret named “SECRET-NAME” in SecretsManager and need to request it in one of my stacks, I’m doing it like so:
secret = SMSecret.from_secret_name_v2(
self, "Secret", "SECRET-NAME"
)
When I grant read access to a role like so:
secret.grant_read(role)
It generates the wrong access:
[ ] {
[ ] "Action": [
[+] "secretsmanager:GetSecretValue",
[+] "secretsmanager:DescribeSecret"
[+] ],
[+] "Effect": "Allow",
[+] "Resource": {
[+] "Fn::Join": [
[+] "",
[+] [
[+] "arn:",
[+] {
[+] "Ref": "AWS::Partition"
[+] },
[+] ":secretsmanager:eu-central-1:726654634199:secret:SECRET-NAME-??????"
[+] ]
[+] ]
[+] }
[+] },
Reproduction Steps
Create a manual secret without the secretsmanager added suffix and request it from within your code.
What did you expect to happen?
I would have expected my role to have read access to the role
What actually happened?
A non-existing ARN was used as the secret ARN in the policy
CDK CLI Version
2.0.0-rc.33
Framework Version
No response
Node.js Version
14.16.0
OS
Arch Linux
Language
Python
Language Version
Python 3.9.9
Other information
No response
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 3
- Comments: 23 (13 by maintainers)
This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.
I’ll try to reproduce this next week at some point. Thanks for the find @CarsonF