[secretsmanager] object.secret.secret_name returns the end of the ARN not the Secrets name

[gergnz]

When creating and RDS Instance it creates a secret for the DB. When trying to use that secret later I expect to be able to use the Secret name and the ARN correctly, but the secret name is being returned as the last item of the ARN with the extra suffix, which is incorrect.

Reproduction Steps

db = rds.DatabaseInstance(...)

app = ec2.Instance(...)
app.add_to_role_policy(
  iam.PolicyStatement(
    actions=["secretsmanager:GetSecretValue"],
    resources=[db.secret.secret_full_arn]
  )
)

app.add_user_data('''
region=$(curl -s http://169.254.169.254/latest/meta-data/placement/availability-zone | sed 's/[a-z]$//')
aws --region $region secretsmanager get-secret-value --secret-id '''+db.secret.secret_name+''' >> /tmp/details
'''

What did you expect to happen?

I expect that /tmp/details is populated with the value stored in the secrets manager for that name.

I want to get the value out of secrets manager.

What actually happened?

the user data of the instance gets populated with the name:
dbSecret8003E3A7-mIXuhO5ONwLb-qeNyUO

but the name should be:
dbSecret8003E3A7-mIXuhO5ONwLb

the ARN in the policy is correct:
arn:aws:secretsmanager:ap-southeast-2:025705368789:secret:dbSecret8003E3A7-mIXuhO5ONwLb-qeNyUO

Environment

• CDK CLI Version : 1.73.0 (build eb6f3a9)
• Framework Version: 1.73.0
• Node.js Version: v14.5.0
• OS : macOS Catalina 10.15.7
• Language (Version): Python (3.9.0)

Other

---

This is 🐛 Bug Report

[gergnz]

This is related to #11202 and #10914

[gergnz]

https://github.com/aws/aws-cdk/pull/11202/files#r517667089

@skinny85

Basically, I'm worried that someone will use secretName somewhere where the name of the Secret is expected, and when it resolves to MySecret-123456, it will fail at deploy time.

I think I just found a way where I want the secret name used without the extra suffix.

And if we look at the console it uses the shortened secret name:

[njlynch]

Hi @gergnz .

Can you help me understand a bit more about your use case?

• Why are you using the secret name in the user data, rather than the ARN (since you have both)?
• What is the negative impact of having the full secret name in the user data, as opposed to the partial name without the suffix? Both will retrieve the secret from Secrets Manager. Are you not seeing the secret value in /tmp/details?

At the surface, there is no (simple) way to get the "friendly" secret name from a secret that's just been created; it's not one of the return values from CloudFormation, and needs to be parsed from the ARN. A custom resource could take the full ARN and calculate the "friendly" secret name, but it's unclear what value that provides. Perhaps if I understood more about your use case I could make a different suggestion?

I think I just found a way where I want the secret name used without the extra suffix.

Does this mean you found a workaround that works for you? Would you mind sharing what you've done?

[gergnz]

Why are you using the secret name in the user data, rather than the ARN (since you have both)?

Because I swear I tried and couldn't see that I could use the ARN. Have now tried again, and that works.

At the surface, there is no (simple) way to get the "friendly" secret name from a secret that's just been created;

yes, I went through the code and can see that. I was thinking you could wrap the ParseArn that sets up a Fn::Select, with another Fn::Select to try and drop the suffix, but wasn't coming up with a solid way to achieve that in a sane way.

Does this mean you found a workaround that works for you? Would you mind sharing what you've done?

Negative I have not found a good workaround that would be consistent. Given that I have now retried ARN, I have a way forward and don't immediately see a need for the name for my needs.

Thanks for getting back to me and sorry for the noise.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.