Support Secret with partial Arn #7994
Assignees
Labels
@aws-cdk/aws-secretsmanager
Related to AWS Secrets Manager
effort/small
Small work item – less than a day of effort
feature-request
A feature should be added or improved.
p1
Comments
tuler
added
feature-request
|
Related: #7444, #6889 (comment) |
skinny85
added
effort/small
njlynch
added a commit
that referenced
this issue
Sep 11, 2020
Adds the ability to import secrets by name, including without the SecretsManager assigned suffix. As long as a secret with the same name has been created in each region with the same name, this allows for the same `fromSecretName` usage in stacks across regions. Oddly enough, most CloudFormation templates that take references to secrets accept either the full-form ARN, including the suffix or just the base secret name (not in ARN format). The one place where a full ARN format is needed is in IAM policy statements, where the wildcard is necessary to account for the suffix. Tested this manually against an existing secret with a CodeBuild project; per the CloudFormation docs, this should work equally well with other SecretsManager-integrated services. fixes #7444 fixes #7949 fixes #7994
njlynch
added a commit
that referenced
this issue
Sep 11, 2020
Adds the ability to import secrets by name, including without the SecretsManager assigned suffix. As long as a secret with the same name has been created in each region with the same name, this allows for the same `fromSecretName` usage in stacks across regions. Oddly enough, most CloudFormation templates that take references to secrets accept either the full-form ARN, including the suffix or just the base secret name (not in ARN format). The one place where a full ARN format is needed is in IAM policy statements, where the wildcard is necessary to account for the suffix. Tested this manually against an existing secret with a CodeBuild project; per the CloudFormation docs, this should work equally well with other SecretsManager-integrated services. fixes #7444 fixes #7949 fixes #7994
njlynch
added a commit
that referenced
this issue
Sep 14, 2020
Adds the ability to import secrets by name, including without the SecretsManager assigned suffix. As long as a secret with the same name has been created in each region with the same name, this allows for the same `fromSecretName` usage in stacks across regions. Oddly enough, most CloudFormation templates that take references to secrets accept either the full-form ARN, including the suffix or just the base secret name (not in ARN format). The one place where a full ARN format is needed is in IAM policy statements, where the wildcard is necessary to account for the suffix. Tested this manually against an existing secret with a CodeBuild project; per the CloudFormation docs, this should work equally well with other SecretsManager-integrated services. fixes #7444 fixes #7949 fixes #7994
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When a container in a
TaskDefinitionuses a secret, it automatically adds to the taskDefinition generatedExecutionRolethe IAM permission to read the secret value.If the secret is imported from an existing resource, by using
secretsmanager.Secret.fromSecretAttributesorsecretsmanager.Secret.fromSecretArnthe Arn can be an partial Arn, without the-and 6 random chars AWS appends to the friendly name.The problem is that Secret.grantRead gives permission to the exact Arn only, so the task fails to execute.
Use Case
It's common to use partial Arn when using secrets, because they represent friendly names.
Proposed Solution
I tried to manually add a more relaxed policy to the taskDefinition execution role, but it did not work.
I don't know why it did not work, or if this is the best approach.
This is a 🚀 Feature Request
The text was updated successfully, but these errors were encountered: