Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(secretsmanager): Partial ARN used in policies and secretFullArn evaluates to the partial ARN when Secret used across environments #22468

Open
gshpychka opened this issue Oct 12, 2022 · 4 comments
Open

(secretsmanager): Partial ARN used in policies and secretFullArn evaluates to the partial ARN when Secret used across environments #22468

gshpychka opened this issue Oct 12, 2022 · 4 comments
Labels
@aws-cdk/aws-secretsmanager Related to AWS Secrets Manager bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@gshpychka
Copy link
Contributor

gshpychka commented Oct 12, 2022
edited
Loading

Describe the bug

When a Secret is created and then passed to a cross-env stack (provided the secret has a specified physical name), its internal arnForPolicies is its partial ARN without the 6-character suffix. This is wrong, as the generated policies from e.g. grantRead cannot use the partial ARN as is - they have to append -?????? to it.

Expected Behavior

When doing Secret.grantRead in a cross-environment stack, the resulting CF template contains the partial ARN of the secret followed by -??????.

Current Behavior

The partial ARN is used as is.

Reproduction Steps

Here's a simple Python app:

import os
import aws_cdk as cdk
from aws_cdk import aws_iam as iam, aws_secretsmanager as sm, aws_ssm as ssmapp = cdk.App()
​
root_env = cdk.Environment(
    account=os.environ["CDK_DEFAULT_ACCOUNT"], region="us-east-1"
)
cross_region_env = cdk.Environment(
    account=os.environ["CDK_DEFAULT_ACCOUNT"], region="us-west-2"
)
​
producer_stack = cdk.Stack(app, "producer", env=root_env)
consumer_stack = cdk.Stack(app, "consumer", env=cross_region_env)
​
secret = sm.Secret(producer_stack, "secret", secret_name="MySecret")
role = iam.Role(consumer_stack, "role", assumed_by=iam.ServicePrincipal("foo"))
​
secret.grant_read(role)

ssm.StringParameter(consumer_stack, "parameter", string_value=secret.secret_full_arn)
​
app.synth()

Relevant excerpts of the synthed template of the consumer:

  "roleDefaultPolicy7C980EBA": {
   "Type": "AWS::IAM::Policy",
   "Properties": {
    "PolicyDocument": {
     "Statement": [
      {
       "Action": [
        "secretsmanager:DescribeSecret",
        "secretsmanager:GetSecretValue"
       ],
       "Effect": "Allow",
       "Resource": {
        "Fn::Join": [
         "",
         [
          "arn:",
          {
           "Ref": "AWS::Partition"
          },
          ":secretsmanager:us-east-1:574067550520:secret:MySecret"
         ]
        ]
       }
      }
     ],
     "Version": "2012-10-17"
    },
    "PolicyName": "roleDefaultPolicy7C980EBA",

The value of secretFullArn evaluates to the partial ARN, which is probably related.

  "parameter76C24FC7": {
   "Type": "AWS::SSM::Parameter",
   "Properties": {
    "Type": "String",
    "Value": {
     "Fn::Join": [
      "",
      [
       "arn:",
       {
        "Ref": "AWS::Partition"
       },
       ":secretsmanager:us-east-1:574067550520:secret:MySecret"
      ]
     ]
    }
   },
   "Metadata": {
    "aws:cdk:path": "consumer/parameter/Resource"
   }
  }
 },

Possible Solution

No response

Additional Information/Context

In addition, the secret's secretFullArn prop evaluates to the partial ARN at synth time (in the consumer stack, that is).

CDK CLI Version

2.45.0

Framework Version

No response

Node.js Version

18.9.0

OS

Linux

Language

Python

Language Version

No response

Other information

No response
@gshpychka gshpychka added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 12, 2022
@github-actions github-actions bot added the @aws-cdk/aws-secretsmanager Related to AWS Secrets Manager label Oct 12, 2022
@gshpychka gshpychka changed the title (secretsmanager): Partial ARN used in policies when Secret passed across environments (secretsmanager): Partial ARN used in policies and secretFullArn evaluates to the partial ARN when Secret passed across environments Oct 12, 2022
@gshpychka gshpychka changed the title (secretsmanager): Partial ARN used in policies and secretFullArn evaluates to the partial ARN when Secret passed across environments (secretsmanager): Partial ARN used in policies and secretFullArn evaluates to the partial ARN when Secret used across environments Oct 12, 2022
@aiden-sobey
Copy link

We also lost time to this bug, would love to see a fix by AWS.

@gshpychka
Copy link
Contributor Author

@madeline-k can you please take a look?

@peterwoodworth
Copy link
Contributor

I'm not sure where exactly we handle cross-env references, so I'm not too sure where to look for this. However, can you work around this by either passing in the CfnSecret.ref value, or by importing the secret in the second stack instead of directly referencing it?

@peterwoodworth peterwoodworth added p2 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Dec 5, 2022
@Malanius
Copy link

Malanius commented Feb 9, 2023
edited
Loading

Doesn't seem that it has to be cross-environment. Happened to me in cross-stack references in the same environment.
Edit: it is cross-environment only, missed that the secrets stack didn't have the environment assigned. Switching stack from having an environment or not is enough to reproduce this issue.

One stack has only secrets that are later used in other stacks with ECS services. Originally the reference was handed down as CFN export/import and included the -????? suffix for secrets ARN, but now it is missing and ECS deployment fails as it claims it doesn't have access to truncated secret ARN.

image
image

@peterwoodworth peterwoodworth added p1 and removed p2 labels Feb 9, 2023
@gshpychka gshpychka mentioned this issue Jul 10, 2023
Merged
mergify bot pushed a commit that referenced this issue Jul 24, 2023
@gshpychka
fix(secretsmanager): arnForPolicies evaluates to the partial ARN if…
0e808d8 
… accessed from a cross-env stack (#26308)

Currently, `Secret.secretFullArn` returns the partial ARN if the secret is referenced between cross-env stacks.
An obvious practical implication is that `grant*` methods will produce an incorrect ARN for the IAM policies, since a full ARN is required for cross-environment access.

This PR partially fixes the issue - I reimplemented `arnForPolicies` to be lazily evaluated. It checks if the value is being accessed across environments and adds `-??????` to the ARN if it is.

Now, this does not solve the underlying issue of `secretFullArn` returning the partial ARN. While it should return undefined, we have to check how the prop is accessed (same environment or cross-env) before we know whether to return the ARN or `undefined`. If we use a `Lazy` here, it still cannot return `undefined` (only `any` as the closest thing).

So I don't think the underlying cause could be solved currently, that's why I opted for this partial fix that would address the most practical consequence of the bug.
 
This is a partial fix for #22468.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
bmoffatt pushed a commit to bmoffatt/aws-cdk that referenced this issue Jul 29, 2023
@gshpychka @bmoffatt
fix(secretsmanager): arnForPolicies evaluates to the partial ARN if…
bff062d 
… accessed from a cross-env stack (aws#26308)

Currently, `Secret.secretFullArn` returns the partial ARN if the secret is referenced between cross-env stacks.
An obvious practical implication is that `grant*` methods will produce an incorrect ARN for the IAM policies, since a full ARN is required for cross-environment access.

This PR partially fixes the issue - I reimplemented `arnForPolicies` to be lazily evaluated. It checks if the value is being accessed across environments and adds `-??????` to the ARN if it is.

Now, this does not solve the underlying issue of `secretFullArn` returning the partial ARN. While it should return undefined, we have to check how the prop is accessed (same environment or cross-env) before we know whether to return the ARN or `undefined`. If we use a `Lazy` here, it still cannot return `undefined` (only `any` as the closest thing).

So I don't think the underlying cause could be solved currently, that's why I opted for this partial fix that would address the most practical consequence of the bug.
 
This is a partial fix for aws#22468.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@pahud pahud added p2 and removed p1 labels Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-secretsmanager Related to AWS Secrets Manager bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@pahud @Malanius @gshpychka @aiden-sobey @peterwoodworth @madeline-k