I am trying to create a canary resource that uses a script that needs a secret. I'm trying to add a policy statement to the canary role (which I'm creating as part of the cdk). To do this I need to get the secrets full arn, I can get the partial arn with
secret_from_name = secretsmanager.Secret.from_secret_name_v2
then use it like
resources = [secret_from_name.secret_arn]
but that doesn't give me the full arn and the permissions don't work.
.....because no identity-based policy allows the secretsmanager:GetSecretValue action
Thought I would get around this by doing
resources = [secret_from_name.secret_full_arn]
But because this is derived by name, it doesn't get the full arn and you get 'undefined'
I also tried getting it from attribute using the partial arn, no joy there either.
So is there any way around this? As what I don't want to do is pass around full arn's or is there another way I can grant access to this reousece?
Secret ARNs have a dash and 6 random characters at the end. Define the IAM policy statement's resource with a -?????? wildcard suffix to grant your role access to all versions of the secret name.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": [
"arn:aws:secretsmanager:<region>:<account-id-number>:secret:<secret-name>-??????"
]
}
]
}
In a CDK context you can simply use string concatenation to assemble the policy statement's resource ARN from the secret's name. Or use a CDK ARN utility (Arn.format or Stack.format_arn).