Skip to content

Commit

Permalink
feat(secretsmanager): Secret.grantRead() also gives DescribeSecret pe…
Browse files Browse the repository at this point in the history 
…rmissions (#8409)

`Secret.grantRead()` now gives permission for `secretmanager:DescribeSecret` and `secretmanager:GetSecretValue`,
instead of only `secretmanager:GetSecretValue`. 

Fixes #6444 
Fixes #7953 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
@comcalvi
comcalvi authored Jun 6, 2020
1 parent 6c3545a commit f44ae60
Show file tree
Hide file tree
Showing 6 changed files with 32 additions and 11 deletions.
7 changes: 5 additions & 2 deletions packages/@aws-cdk/aws-ecs/test/ec2/integ.secret-json-field.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,10 @@
"PolicyDocument": {
"Statement": [
{
"Action": "secretsmanager:GetSecretValue",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": {
"Ref": "SecretA720EF05"
Expand All @@ -113,4 +116,4 @@
}
}
}
}
}
7 changes: 5 additions & 2 deletions packages/@aws-cdk/aws-ecs/test/fargate/integ.secret.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,10 @@
"PolicyDocument": {
"Statement": [
{
"Action": "secretsmanager:GetSecretValue",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": {
"Ref": "SecretA720EF05"
Expand All @@ -106,4 +109,4 @@
}
}
}
}
}
10 changes: 8 additions & 2 deletions packages/@aws-cdk/aws-ecs/test/test.container-definition.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -755,7 +755,10 @@ export = {
PolicyDocument: {
Statement: [
{
Action: 'secretsmanager:GetSecretValue',
Action: [
'secretsmanager:GetSecretValue',
'secretsmanager:DescribeSecret',
],
Effect: 'Allow',
Resource: {
Ref: 'SecretA720EF05',
Expand Down Expand Up @@ -1111,7 +1114,10 @@ export = {
PolicyDocument: {
Statement: [
{
Action: 'secretsmanager:GetSecretValue',
Action: [
'secretsmanager:GetSecretValue',
'secretsmanager:DescribeSecret',
],
Effect: 'Allow',
Resource: mySecretArn,
},
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-secretsmanager/lib/secret.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ abstract class SecretBase extends Resource implements ISecret {

const result = iam.Grant.addToPrincipal({
grantee,
actions: ['secretsmanager:GetSecretValue'],
actions: ['secretsmanager:GetSecretValue', 'secretsmanager:DescribeSecret'],
resourceArns: [this.secretArn],
scope: this,
});
Expand Down
7 changes: 5 additions & 2 deletions packages/@aws-cdk/aws-secretsmanager/test/integ.secret.lit.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,10 @@
"PolicyDocument": {
"Statement": [
{
"Action": "secretsmanager:GetSecretValue",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": {
"Ref": "SecretA720EF05"
Expand Down Expand Up @@ -121,4 +124,4 @@
}
}
}
}
}
10 changes: 8 additions & 2 deletions packages/@aws-cdk/aws-secretsmanager/test/test.secret.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,10 @@ export = {
PolicyDocument: {
Version: '2012-10-17',
Statement: [{
Action: 'secretsmanager:GetSecretValue',
Action: [
'secretsmanager:GetSecretValue',
'secretsmanager:DescribeSecret',
],
Effect: 'Allow',
Resource: { Ref: 'SecretA720EF05' },
}],
Expand Down Expand Up @@ -252,7 +255,10 @@ export = {
PolicyDocument: {
Version: '2012-10-17',
Statement: [{
Action: 'secretsmanager:GetSecretValue',
Action: [
'secretsmanager:GetSecretValue',
'secretsmanager:DescribeSecret',
],
Effect: 'Allow',
Resource: { Ref: 'SecretA720EF05' },
Condition: {
Expand Down

0 comments on commit f44ae60

Please sign in to comment.