SecretsManager: import by name, add secretId property to ISecret #7444
Assignees
Labels
@aws-cdk/aws-secretsmanager
Related to AWS Secrets Manager
effort/small
Small work item – less than a day of effort
feature-request
A feature should be added or improved.
p1
Comments
rix0rrr
added
feature-request
This was referenced Jun 29, 2020
njlynch
added a commit
that referenced
this issue
Sep 11, 2020
Adds the ability to import secrets by name, including without the SecretsManager assigned suffix. As long as a secret with the same name has been created in each region with the same name, this allows for the same `fromSecretName` usage in stacks across regions. Oddly enough, most CloudFormation templates that take references to secrets accept either the full-form ARN, including the suffix or just the base secret name (not in ARN format). The one place where a full ARN format is needed is in IAM policy statements, where the wildcard is necessary to account for the suffix. Tested this manually against an existing secret with a CodeBuild project; per the CloudFormation docs, this should work equally well with other SecretsManager-integrated services. fixes #7444 fixes #7949 fixes #7994
njlynch
added a commit
that referenced
this issue
Sep 11, 2020
Adds the ability to import secrets by name, including without the SecretsManager assigned suffix. As long as a secret with the same name has been created in each region with the same name, this allows for the same `fromSecretName` usage in stacks across regions. Oddly enough, most CloudFormation templates that take references to secrets accept either the full-form ARN, including the suffix or just the base secret name (not in ARN format). The one place where a full ARN format is needed is in IAM policy statements, where the wildcard is necessary to account for the suffix. Tested this manually against an existing secret with a CodeBuild project; per the CloudFormation docs, this should work equally well with other SecretsManager-integrated services. fixes #7444 fixes #7949 fixes #7994
njlynch
added a commit
that referenced
this issue
Sep 14, 2020
Adds the ability to import secrets by name, including without the SecretsManager assigned suffix. As long as a secret with the same name has been created in each region with the same name, this allows for the same `fromSecretName` usage in stacks across regions. Oddly enough, most CloudFormation templates that take references to secrets accept either the full-form ARN, including the suffix or just the base secret name (not in ARN format). The one place where a full ARN format is needed is in IAM policy statements, where the wildcard is necessary to account for the suffix. Tested this manually against an existing secret with a CodeBuild project; per the CloudFormation docs, this should work equally well with other SecretsManager-integrated services. fixes #7444 fixes #7949 fixes #7994
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The Secrets Manager import feature is currently quite annoying to import existing secrets in an account-agnostic way.
It would be perfectly fine to import and access them by name, but the API doesn't currently support it.
Needs an accessor to hold the non-ARN attribute, and needs to be calculcated from an ARN if not available, and we need to grant permissions on
<id>-*.This is a 🚀 Feature Request
The text was updated successfully, but these errors were encountered: