3

I am trying to create a canary resource that uses a script that needs a secret. I'm trying to add a policy statement to the canary role (which I'm creating as part of the cdk). To do this I need to get the secrets full arn, I can get the partial arn with

secret_from_name = secretsmanager.Secret.from_secret_name_v2

then use it like

resources = [secret_from_name.secret_arn]

but that doesn't give me the full arn and the permissions don't work.

.....because no identity-based policy allows the secretsmanager:GetSecretValue action

Thought I would get around this by doing

resources = [secret_from_name.secret_full_arn]

But because this is derived by name, it doesn't get the full arn and you get 'undefined'

I also tried getting it from attribute using the partial arn, no joy there either.

So is there any way around this? As what I don't want to do is pass around full arn's or is there another way I can grant access to this reousece?

fedonev
  • 20,327
  • 2
  • 25
  • 34
BrokenEyes
  • 192
  • 2
  • 18

1 Answers1

5

Secret ARNs have a dash and 6 random characters at the end. Define the IAM policy statement's resource with a -?????? wildcard suffix to grant your role access to all versions of the secret name.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": [
        "arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-??????"
      ]
    }
  ]
}

In a CDK context you can simply use string concatenation to assemble the policy statement's resource ARN from the secret's name. Or use a CDK ARN utility (Arn.format or Stack.format_arn).

fedonev
  • 20,327
  • 2
  • 25
  • 34