Closed avalara-stephen-hickey closed 1 year ago
I'm not sure this is the best approach. I can't understand the side effects for other users of this library.
@normj maybe could shed some lights on this?
Alternatively, I'd rather add to the configuration a delegate that allows the customization of the request before its sent.
I know the configuration is getting a bit crowded with many properties, but I'm really afraid of a change that could cause issues to other users.
That is interesting that going across accounts is requiring AWSCURRENT
to be set. For my own education I would be curious on how the resource policy is configured, is it using a specific secret arn or wildcard and does that make a difference.
I don't think @avalara-stephen-hickey suggestion will have any negative side effects for other users but there is the question do you want provide the ability for more customizations in the version id and stage.
Thank you @normj for your input.
I see the request customization delegate a way to solve this issue and potentially handle future needs like the one you mention.
Anyway, maybe it's a policy configuration error. @avalara-stephen-hickey would it be ok for you to share a sanitized version of your policy?
I appreciate the quick response!
As far as I understand, there wouldn't be any affect on other users since this is supposed to be the default behavior anyway. But I understand your fear that it may affect other users because it's documented as the default behavior but somehow is also required in this scenario. My company has documented this behavior and attaches the following note to every secret they share.
Ensure that the development team is specifying version-state as AWSCURRENT. AWS docs state that if not specified it defaults to that version, however it needs to be explicitly stated for this to work.
A configurator option will solve my need, but I think to have long-term benefit, the action would require a context of what secret is being requested so that a user could change the version stage per secret.
Here are all the roles and policies related to what I'm experiencing.
AWS Account 1 (where the secret is)
// Policy arn:aws:iam::1:policy/policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": "arn:aws:secretsmanager:us-west-2:1:secret:secret"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"kms:GetPublicKey",
"kms:ListKeyPolicies",
"kms:ListRetirableGrants",
"kms:GetKeyPolicy",
"kms:ListResourceTags",
"kms:ListGrants",
"kms:GetParametersForImport",
"kms:DescribeCustomKeyStores",
"kms:ListKeys",
"secretsmanager:GetRandomPassword",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:DescribeKey",
"secretsmanager:ListSecrets"
],
"Resource": "arn:aws:kms:us-west-2:1:key/key"
}
]
}
// Role arn:aws:iam::1:role/role
// Trusted relationships
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::2:role/role2"
},
"Action": "sts:AssumeRole"
}
]
}
AWS Account 2 (the account that I'm accessing the secret from)
// Role arn:aws:iam::2:role/role2
// Trusted relationships
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com",
"AWS": "arn:aws:sts::2:assumed-role/{redacted}/me@mycompany.com"
},
"Action": "sts:AssumeRole"
}
]
}
// Policy arn:aws:iam::2:policy/policy2
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:us-west-2:1:secret:secret"
},
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-west-2:1:key/key"
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::1:role/role"
}
]
}
Here's an example of me assuming and using the role in account 2 and the result.
var chain = new Amazon.Runtime.CredentialManagement.CredentialProfileStoreChain();
// %USERPROFILE%/.aws/credentials looks like
// [sharedsecretprofile]
// role_arn = arn:aws:iam::2:role/role2
// source_profile = default
// toolkit_artifact_guid = {redacted}
if (!chain.TryGetAWSCredentials("sharedsecretprofile", out var credentials))
{
return;
}
var client = new AmazonSecretsManagerClient(credentials);
// This returns the secret result as I would expect.
var test = await client.GetSecretValueAsync(new GetSecretValueRequest
{
SecretId = secretId,
VersionStage = "AWSCURRENT"
});
// This throws, error below.
var test2 = await client.GetSecretValueAsync(new GetSecretValueRequest
{
SecretId = secretId
});
Error
User: arn:aws:sts::2:assumed-role/role2/aws-dotnet-sdk-session-{redacted} is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-west-2:1:secret:secret because no resource-based policy allows the secretsmanager:GetSecretValue action
Here's a proposed change, let me know what you think.
This is the "add to the configuration a delegate that allows the customization of the request before its sent" approach.
@Kralizek thanks for merging the change! What is your release cadence for minor versions so I can know when to expect to include it?
I wanted to check the other PR and then release a 2.0
@avalara-stephen-hickey
@avalara-stephen-hickey I've done of move around of the commits so that the PR you worked on can be released as 1.7 without waiting for me to release the 2.0. Would you be ok fetching the artifacts and try them before I publish an actual release?
Yeah, I'll look into that today.
Yeah, I'll look into that today.
Thanks. I'll let you know when it's ready and add a comment to the build in AppVeyor.
I've confirmed 1.7.0 solves the issue I was having. Thank you for your time and help!
Great to hear. Thank you for your help!
Would you mind giving a look at #80 and see if you like what I'm cooking there?
Background
There are times when it's required to specify the version stage when performing
secretsmanager:GetSecretValue
.In my case, when accessing a secret in a different AWS account, that has been shared to a credential I've grabbed from the CredentialProfileStoreChain, I am only able to access the secret when specifying
--version-stage AWSCURRENT
.In the previous code block, when specifying
--version-stage AWSCURRENT
, I am able to retrieve the secret. Without it, I get the errorThe AWS documentation says it is set to
AWSCURRENT
by default, but that is clearly not true based on the previous example.Proposal
Add
VersionStage = "AWSCURRENT"
to theGetSecretValueRequest
.I believe this change won't have any affect on any users as not specifying the stage should have the same affect as specifying
AWSCURRENT
as the stage.Changes
Update SecretsManagerConfigurationProvider#L218 from
to
I'd be happy to make this change if it's decided the change is okay.