search

aws-samples / aws-devops-blog-alexa-cdk-walkthrough

MIT No Attribution
5 stars 3 forks source link

How to use SecretValue creating a skill? #18

Open wz2b opened 3 weeks ago

wz2b commented 3 weeks ago

https://github.com/aws-samples/aws-devops-blog-alexa-cdk-walkthrough/blob/73cbfd23ef1a5281b6080c2135f1142724b38027/lib/alexa-cdk-stack.ts#L18

I tried to use this example:

    const PARAM_PREFIX = '/xxxx-ha-skill/'
    const alexaVendorId = ssm.StringParameter.valueForStringParameter(this, `${PARAM_PREFIX}alexa-developer-vendor-id`);
    const lwaClientId = ssm.StringParameter.valueForStringParameter(this, `${PARAM_PREFIX}lwa-client-id`);
    const lwaClientSecret = cdk.SecretValue.secretsManager(`${PARAM_PREFIX}lwa-client-secret`);
    const lwaRefreshToken = cdk.SecretValue.secretsManager(`${PARAM_PREFIX}lwa-refresh-token`);

    const skill = new Skill(this, 'Skill', {
      endpointLambdaFunction: skillBackendLambdaFunction, // @aws-cdk/aws-lambda.IFunction object containing backend code for the Alexa Skill
      skillPackagePath: 'src/skill-package', // path to your skill package
      alexaVendorId: alexaVendorId, // vendor ID of Alexa Developer account
      lwaClientId: lwaClientId, // client ID of LWA Security Profile
      lwaClientSecret: lwaClientSecret, // @aws-cdk/core.SecretValue object containing client secret of LWA Security Profile
      lwaRefreshToken: lwaRefreshToken // @aws-cdk/core.SecretValue object containing refresh token of LWA Security Profile
    });

but it doesn't work:

Error: Resolution error: Synthing a secret value to . Using a SecretValue here risks exposing your secret. Only pass SecretValues to constructs that accept a SecretValue property, or call AWS Secrets Manager directly in your runtime code. Call 'secretValue.unsafeUnwrap()' if you understand and accept the risks..

Unfortunately, adding .unsafeUnwrap() doesn't work either, because that returns a string, not a SecretValue. I cannot figure out a workaround for this. The fact that new Skill() accepts a SecretValue tells me it should work.

Versions of everything:

  "devDependencies": {
    "@types/jest": "^29.5.11",
    "@types/node": "20.14.2",
    "aws-cdk": "2.144.0",
    "ask-cli": "^2.10.0",
    "jest": "^29.7.0",
    "ts-jest": "^29.1.2",
    "ts-node": "^10.9.2",
    "typescript": "~5.4.5",
    "esbuild": "^0.21.4"
  },
  "dependencies": {
    "aws-cdk-lib": "2.144.0",
    "cdk-alexa-skill": "^2.0.4",
    "constructs": "^10.3.0",
    "source-map-support": "^0.5.21"
  }
wz2b commented 3 weeks ago

ok I found part of the answer HERE

In a nutshell, it's saying to get rid of the warning by adding:

    "@aws-cdk/core:checkSecretUsage": false,

to cdk.json. Note though that the stackoverflow says:

Ideally you'd address the root cause (perhaps the 3rd Party Skill construct?) so the check can remain enabled. But disabling the flag should silence the error.

which I believe to be the right solution ...

wz2b commented 3 weeks ago

I confirmed that by unchecking checkSecretsUsage it still does the right thing i.e. it did not leak my secrets into the cloudformation template. So that's good. Disabling the check is still not a great idea, though, It won't catch it if someone makes a mistake elsewhere.